Firefox 30 Delivers 7 Security Fixes, Other Changes

In contrast to the fanfare associated with Firefox 29 and its new interface, Firefox 30 delivers security fixes and incremental feature updates.

Firefox 30

Not all browser releases are full of exciting, new features users will immediately notice. The Mozilla Firefox 30 browser does not include major new features, yet it does provide users with security fixes and some incremental updates.

Released June 10, Firefox 30 improves on the Firefox 29 browser, which debuted April 29 with the biggest user interface update for the open-source browser in years.

On the user interface side, the Firefox 30.0 release notes indicate that the sidebars button in the browser now enables faster access to social, bookmark and history sidebars. Additionally, with Firefox 30.0, Mozilla is now providing users with support for the GStreamer 1.0 framework for multimedia streaming.

Firefox 30.0 includes seven security advisories attached to the open-source browser release.

As is common in nearly every Firefox release, one of the security advisories is identified as fixing "miscellaneous memory safety hazards." In the case of Firefox 30, only two memory hazards, CVE-2014-1533 and CVE-2014-1534, are patched.

Firefox isn't the only Web browser that has to face the challenge of memory-related security vulnerabilities. As part of its June Patch Tuesday update, Microsoft patched the Internet Explorer browser for 54 memory-corruption vulnerabilities.

In addition to the miscellaneous memory safety hazards, three of the Firefox security advisories deal with use-after-free memory vulnerabilities. "Use-after-free" flaws enable an attacker to abuse memory space from properly allocated program space.

Mozilla Foundation Security Advisory (MSFA) 2014-49 identifies CVE-2014-1536, CVE-2014-1537 and CVE-2014-1538 as use-after-free vulnerabilities that were found with Google's Address Sanitizer tool. The Address Sanitizer technology is an open-source tool for detection of memory errors in C and C++ code.
"Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a number of use-after-free and out-of-bounds read issues using the Address Sanitizer tool," Mozilla states in its advisory. "These issues are potentially exploitable, allowing for remote code execution."

The Google Address Sanitizer tool was also used by the BlackBerry security team to find a use-after-free error in Firefox's event listener manager code. Famed security researcher "Nils" also is credited with the discovery of a use-after-free vulnerability that was discovered using Address Sanitizer. Nils first rose to notoriety in 2009 when he was able to successfully exploit Microsoft's Internet Explorer, Apple Safari and Mozilla Firefox in the Pwn2own hacking competition.

There are also two security advisories in Firefox 30 for buffer-overflow issues—one affecting the Web audio component and the other the Gamepad API. The Gamepad API was first introduced in the Firefox 29 release, enabling the browser to use a gamepad control device for gaming.

Finally, Firefox 30.0 provides a fix for a click-jacking flaw identified as CVE-2014-1539 that only affects Mac OS X users. Firefox 30.0 is available for Windows, Linux and Mac OS X systems. Click-jacking is an attack vector in which a malicious object is hidden underneath a legitimate Web button that a user is likely to click.

"Security researcher Jordi Chancel reported a mechanism where the cursor can be rendered invisible after it has been used on an embedded flash object when used outside of the object," Mozilla warned in its advisory. "This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to click-jacking during interactions with HTML content subsequently."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.