Firefox 44 Debuts With Improved Security

Mozilla adds push notification support and provides 11 security advisories with its latest open-source browser release.

Mozilla Firefox 44

Mozilla came out today with its first Firefox browser release for 2016, providing new features and hardened security.

Firefox 44 follows Firefox 43, which was released Dec. 15 and provided improved tracking protection for users. With Firefox 44, Mozilla is adding in the ability for users to get push notifications from sites by making use of the Web Push W3C standard.

"An application server can send a push message at any time, even when a webapp or user agent is inactive," the W3C standard abstract states. "Push messages are delivered to a Service Worker that runs in the origin of the webapp, which can use the information in the message to update local state or display a notification to the user."

The Service Worker and Web Push APIs are part of Mozilla's overall push to enable a type of technology known as Progressive Web Apps. The basic idea behind Progressive Web Apps is to have the browser tooling in place that enables more interactive connectivity for Web pages.

From a security perspective with the Firefox 44 release, Mozilla has now deprecated support for the RC4 SSL/TLS (Secure Sockets Layer/Transport Layer Security) stream cipher. RC4 was once the most widely used SSL cryptographic cipher in use, but in recent years has been proven to be at risk from attack. Mozilla has been incrementally moving to remove RC4 support, since the Firefox 38 release in May 2015.

"Until recently, RC4 was fully supported by Firefox to maintain compatibility with older servers, but over the past year, we've been gradually removing support," Mozilla developer April King wrote in a blog post.

As part of the Firefox 44 update, Mozilla is also issuing 11 security advisories for vulnerabilities, of which three are rated critical. Among the critical advisories is MFSA-2016-01, which patches a pair of memory safety flaws identified as CVE-2016-1930 and CVE-2016-2031. There is also a critical patch for a buffer overflow vulnerability identified as CVE-2016-1935. The third critical patch is for three separate vulnerabilities (CVE-2016-1944, CVE-2016-1945 and CVE-2016-1946) that involve unsafe memory manipulations that were found through code inspection.

"Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection," Mozilla wrote in its security advisory. "These include a high-rated memory safety issue in the ANGLE graphics library, a moderate-rated potential wild pointer flaw when handling zip files and a critical-rated integer overflow during metadata parsing in Mozilla's use of the libstagefright library."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.