Mozilla Firefox 38 Gets a Baker's Dozen Security Updates

Five of the 13 security updates for Firefox 38 are considered critical. Mozilla also disabled the RC4 cipher suite for encrypted TLS data.

Firefox 28

Mozilla today released an update to its open-source Firefox Web browser, providing security fixes and several new capabilities. Firefox 38 follows the Firefox 37 release, which debuted March 31.

Firefox 37 was noteworthy in that it marked the debut of a new security approach known as opportunistic encryption. With opportunistic encryption, Firefox was supposed to be able to encrypt potentially sensitive data that would otherwise have been sent unencrypted and in the clear.

However, opportunistic encryption itself represented a security risk and was removed in the Firefox 37.0.1 update. With Firefox 38, it's unclear if opportunistic encryption has been re-enabled. Mozilla did not respond to a request for comment by press time.

From an encryption perspective, the new Firefox 38 is noteworthy in that the RC4 cryptographic cipher suite has been disabled. There is currently a draft IETF (Internet Engineering Task Force) specification that is all about prohibiting the use of RC4.

"RC4 is a stream cipher described, which is widely supported, and often preferred, by TLS [Transport Layer Security] servers," the IETF draft states. "However, RC4 has long been known to have a variety of cryptographic weaknesses."

As there are still sites that make use of RC4, Firefox 38 has a hard-coded list of sites that it will support. Firefox users can choose to disable the built-in whitelist by setting the Firefox preference for "security.tls.insecure_fallback_hosts.use_static_list" to false.

Mozilla has also issued 13 security advisories for vulnerabilities fixed in the Firefox 38 release. Of those 13, Mozilla has rated five critical.

Among the critical advisories is MFSA-2915-46, which is titled "Miscellaneous memory safety hazards" and patches the CVE-2015-2708 and CVE-2015-2709 security vulnerabilities.

Two of the other critical advisories detail buffer overflow issues. CVE-2015-2710 is an overflow that was found when rendering SVG graphics that could have potentially enabled an exploitable crash. The second critical buffer overflow vulnerability is CVE-2015-2716, which involves XML data.

"Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content," Mozilla warned in its advisory. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. "

The Address Sanitizer tool is an open-source application originally developed by Google and widely used by security researchers to help identify potential memory security vulnerabilities. Address Sanitizer was also used to discover the CVE-2015-2714 critical use-after-free vulnerability fixed in Firefox 38.

The fifth critical advisory for Firefox 38 patches CVE-2015-2712, which is an out-of-bounds memory security vulnerability in asm.js. The asm.js JavaScript library first landed in Firefox back in 2013 as a technology to help enable a new era of browser-based Web gaming.

"Security researcher Dougall Johnson reported an out-of-bounds read and write in asm.js during JavaScript validation due to an error in how heap lengths are defined," Mozilla said in its advisory. "This results in a potentially exploitable crash and could allow for the reading of random memory which may contain sensitive data."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.