Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Mozilla Patches Firefox 26 With 14 Security Advisories

    By
    Sean Michael Kerner
    -
    December 10, 2013
    Share
    Facebook
    Twitter
    Linkedin

      Mozilla is out today with its latest milestone Firefox release, this time providing security fixes as well as new functionality in the open-source Web browser.

      The Firefox 26 release first entered beta in early November. From a security feature perspective, the big change that Firefox 26 introduces is the concept of “click-to-play” plug-ins. Prior to Firefox 26, plug-ins such as Java would just load inside the browser whenever required by a given Website, and without the need for any specific user interaction.

      With Firefox 26, Mozilla has now restricted the ability of Java plug-ins to auto-load and automatically run. Other competitive Web browsers, including Apple’s Safari 7, already enable the same type of functionality. One of the primary differences between Firefox 26’s click-to-play implementation and Safari 7’s is that Firefox currently does not block Flash media content with click-to-play. The risk from automatically enabled plug-ins is that a user could potentially be directed to a malicious Website where a plug-in is used to automatically deliver some form of malware payload.

      The plan is to expand the click-to-play effort in future releases of Firefox.

      “The latest release of Firefox will continue to enable all plug-ins—except Java—by default while the click-to-play feature goes through additional testing in beta,” Chad Weiner, product manager for Firefox, told eWEEK. “In the coming weeks, we will announce details of a plug-in whitelist policy that will provide a path to exempting certain plug-ins and Websites from our click-to-play policy.”

      From a security patch perspective, Mozilla has attached 14 security advisories to the Firefox 26 release, with five marked as critical. Three of the critical advisories deal with use-after-free memory errors. Use-after-free memory vulnerabilities occur when unused authorized memory remains accessible to other programs, enabling attackers to potentially execute arbitrary code.

      Two of the three use-after-free memory vulnerabilities were reported to Mozilla by security researchers working with the BlackBerry Security Automated Analysis Team. Mozilla first began partnering with BlackBerry for security in July. The BlackBerry research team used Address Sanitizer—a widely used open-source tool for discovering memory flaws that was originally built by Google—to find the flaws.

      Mozilla also credited the BlackBerry security researchers with discovering another critical flaw by using the Address Sanitizer tool.

      “Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that can be triggered by web content,” Mozilla’s advisory explains.

      Firefox 26 also includes an update rated as having high impact for a JPG image file information leak vulnerability. Mozilla Security Advisory 2013-16 credits Google security researcher Michal Zalewski with the discovery of the flaw. According to Mozilla, the flaw “could allow for the possible reading of arbitrary memory content as well as cross-domain image theft.”

      In addition, Mozilla credited Google with reporting a Secure Sockets Layer (SSL) certificate-related flaw. The issue, which Google reported to Mozilla on Dec. 4, involves an SSL certificate that had been erroneously issued that should no longer be trusted.

      “This certificate was issued by Agence nationale de la sécurité des systèmes d’information (ANSSI), an agency of the French government and a certificate authority in Mozilla’s root program,” Mozilla’s advisory states. “A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control.”

      Firefox 26 isn’t just about security; it also improves performance by way of at least one interesting bug fix. Mozilla bug #847223, titled “Don’t decode images that aren’t visible when we download them,” is a bug that Gavin Sharp, lead Firefox engineer at Mozilla, sees as a great example of the benefits of Mozilla’s continuous investment in memory-use improvements (project code name: MemShrink).

      “Firefox is best-in-class on memory use, thanks to fixes like that one,” Sharp told eWEEK. “It results in a big reduction of peak memory usage on image-heavy pages like Flickr or other image galleries, and reducing memory use has all sorts of positive additional effects like increased stability, responsiveness and performance.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×