Firefox 33 Fixes Flaws, Improves Content Security Policy

Mozilla's new open-source browser release includes patches for eight security advisories. Three are rated critical.

Mozilla Firefox 33

Mozilla came out Oct. 14 with its new Firefox 33 Web browser, providing users with incremental feature updates and patches for eight different security advisories. Firefox 33 follows Mozilla's Firefox 32 release in September, which included fixes for six security advisories.

Firefox 33 includes three security advisories that Mozilla rated critical. MFSA 2014-74 is identified by Mozilla as "miscellaneous memory safety hazards" and is associated with the CVE-2014-1574 and CVE-2014-1575 vulnerabilities.

The other critical security advisory is MFSA 2014-79, which details a use-after-free memory flaw, identified as CVE-2014-1581, that a security researcher working with Hewlett-Packard's TippingPoint Zero-Day Initiative reported.

"Security researcher regenrecht reported, via TippingPoint's Zero-Day Initiative, a use-after-free during text layout when interacting with text direction," Mozilla's security advisory warned. "This results in a crash, which can lead to arbitrary code execution."

The third critical advisory, MFSA 2014-77, is associated with the CVE-2014-1578 out-of-bounds WebM video vulnerability. WebM is an open-source video format technology.

"Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes," Mozilla's security advisory warned. "This can lead to a potentially exploitable crash during WebM video playback."

Firefox 33 isn't just about patches; it also improves existing security features. Among the features being introduced is a new Content Security Policy (CSP) back-end. Sid Stamm, principal security and privacy engineer at Mozilla, told eWEEK that the new CSP back-end is a more efficient implementation of the CSP feature called Content Security Policy (CSP) that was first introduced in Firefox 4 back in March 2011.

The basic idea behind CSP is to help limit the risk of cross-site scripting (XSS) attacks by enabling sites to declare where content can be loaded from.

"While this new back-end doesn't add new Web protections, it strengthens some already in Firefox," Stamm said. "This is just one step in our efforts to make Firefox security tools fast and effective."

Looking beyond just security fixes, Firefox has been working on a feature called Enhanced Tiles that was in the beta version of Firefox 33. Enhanced Tiles brings users links from Mozilla partners, on a user's new tab page. While the Enhanced Tiles feature was in Firefox 33 Beta, it is not in the final stable release.

"Enhanced Tiles are turned on in Nightly, Aurora and Beta and will be in general release soon," Denelle Dixon-Thayer, senior vice president of business and legal affairs at Mozilla, told eWEEK. "We are working with foundational partners but do not currently have any paid advertising in the builds."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.