Firefox 34 is now out, and with it, users gain new search and communication features as well as fixes for eight security issues.
The latest release of Mozilla’s open-source Web browser is particularly noteworthy in that it is the first Firefox release since Mozilla’s announcement on Nov. 19 that it was ending its decadelong search partnership with Google.
In Firefox 34, Yahoo is now the default search provider for users in the United States, while Yandex is now the default in Russia and Baidu is the default in China. The search bar itself has also been improved to more easily enable users to use different search engines beyond just the default search provider, meaning that while Yahoo is now the default search engine for those in the U.S., users can easily change the default back to Google.
Mozilla is also introducing its Firefox Hello WebRTC (Web Real Time Communications) feature in the stable release of Firefox 34. The promise of Firefox Hello is that users will be able to easily make voice calls using only the browser. Chad Weiner, director of product management for Firefox at Mozilla, explained to eWEEK that even though the Firefox Hello feature is in the stable, generally available Firefox 34 release, it will still have a beta label.
“We don’t do this often, but sometimes we iterate so much on a feature in its formative stages, even when it is available to our release channel, that it makes more sense to still designate a feature as being in a beta state, even as it is available to a mass audience,” Weiner said. “We’re confident in the performance of the feature, but it’s still new so we expect to have to work out some bugs along the way.”
In terms of what’s next, Mozilla is looking at ways to bring collaboration elements to Hello so users can share more online experiences and be more productive, he said.
From a security standpoint, Firefox 34 is the first Firefox release to completely disable support for the Secure Sockets Layer (SSL) 3.0 cryptographic protocol. SSL 3.0 was revealed to be at risk of exploitation from the POODLE vulnerability. Rival browser vendor Google, meanwhile, decided to initially only drop fallback compatibility for SSL 3.0 with the Chrome 39 browser and is not expected to drop SSL 3.0 support entirely until Chrome 40 later this month.
“Dropping support for SSLv3 entirely protects more users from its inherent vulnerabilities,” Weiner said. “We’re putting users’ safety online first and trying to aggressively push the Web toward more secure alternatives.”
As part of the Firefox 34 release, Mozilla has issued eight security advisories, three of which are rated as being critical.
Among the critical advisories is one that most Firefox releases include for what Mozilla refers to as “Miscellaneous memory safety hazards.” The second critical advisory is for a use-after-free memory issue in HTML5 parsing that is identified as CVE-2014-1592.
The third critical security advisory is for a buffer overflow issue identified as CVE-2014-1593, which was reported to Mozilla by a Google security researcher.
“Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content,” Mozilla’s security advisory warns. “This leads to a potentially exploitable crash.”
The Address Sanitizer tool is open-source technology from Google that is used by security researchers to help identify potential use-after-free flaws in software code.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.