In October 2014, as part of the Firefox 34 beta release, Mozilla introduced its Firefox Hello communications technology enabling users to make calls directly from the browser. On Sept. 20, 2016, Mozilla formally removed support for Firefox Hello as part of the new Firefox 49 release.
The Mozilla Bugzilla entry for the removal of Firefox Hello provides little insight as to why the communications feature is being pulled from the open-source browser. As it turns out, the Firefox Hello removal is related to shifting priorities at Mozilla.
“Our original vision in 2014 was for Firefox Hello to be a tool for sharing and collaboration on the Web,” a Mozilla spokesperson told eWEEK. “Since then, our engineering priorities have shifted, and as a result, we’ve refocused resources to higher-priority initiatives.”
Beyond the removal of Firefox Hello, the new Firefox 49 release is noteworthy in that it patches 18 vulnerabilities, four of which are rated by Mozilla as critical. The four vulnerabilities rated critical include CVE-2016-5275, a global buffer overflow; CVE-2016-5278, a heap buffer overflow; and pair of memory safety vulnerabilities identified as CVE-2016-5256 and CVE-2016-5257.
While not rated critical by Mozilla, CVE-2016-5284 is noteworthy for several reasons. CVE-2016-5284 is an HTTPS certificate pinning vulnerability that was first publicly reported on Sept. 13 as a flaw in the Tor Browser. The Tor Browser, which is based on Firefox, provides its users with an integrated capability to send traffic through the Tor network for anonymizing traffic.
“Due to flaws in the process, we used to update Preloaded Public Key Pinning in our releases, the pinning for add-on updates became ineffective for Firefox release 48 starting Sept. 10, 2016, and ESR 45.3.0 on Sept. 3, 2016,” Selena Deckelmann, senior manager, security engineering, at Mozilla wrote in a blog post. “As of those dates, an attacker who was able to get a mis-issued certificate for a Mozilla website could cause any user on a network they controlled to receive malicious updates for add-ons they had installed.”
Public Key Pinning is a security mechanism that first debuted in Firefox 32 in 2014. At the time, Mozilla explained to eWEEK that key pinning allows site operators to specify which certificate authorities [CAs] may issue valid certificates for them, rather than accepting any of the many CAs that are trusted.
Deckelmann noted that for Firefox users that have not installed any add-ons, there is no risk from the key pinning issue that has been fixed in Firefox 49. That said, the Tor Browser has multiple add-ons by default, and users of that browser are potentially at risk. The Tor project issued an update for the vulnerability Sept. 16.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.