Mozilla came out today with its open-source Firefox 43 browser release, giving users a number of security enhancements and patching vulnerabilities. The Firefox 43 release is likely the last Mozilla Firefox release for 2015 and follows the Firefox 42 release that debuted on Nov. 2.
A key feature that debuted in the Firefox 42 release is Tracking Protection, which is being further enhanced in the new Firefox 43 release. In Firefox 42, Tracking Protection blocked some forms of tracking content that came from advertising and analytics platforms. With Firefox 43, Tracking Protection is now being extended to block trackers that are found in embedded content such as video and photos.
“We’re seeing early positive feedback [on the Tracking Protection feature] and will continue to gather input as we develop the feature,” Denelle Dixon-Thayer, chief legal and business officer at Mozilla, told eWEEK.
Tracking Protection isn’t the only area of security hardening in Firefox 43. There is a also a patch that supports what is known as Subresource Integrity (SRI), which is a technology that allows Websites to ensure that their dependencies can’t attack their users.
“Without SRI, if a page on Site A includes a script from another Site B, the page expects Site B to send the legitimate script, but it has no guarantee—Site B could just as well provide a malicious script,” Richard Barnes, Firefox security lead at Mozilla, told eWEEK. “SRI allows Site A to ensure that only legitimate content will be accepted from Site B.”
Mozilla is also issuing 16 different security advisories alongside the Firefox 43 release, but only three of them are rated critical. Among the critical security advisories is MFSA-2015-134, which patches two separate memory safety vulnerabilities (CVE-2015-2015-7201 and CVE-2015-2015-7202).
The second critical security advisory in Firefox 43 is for privilege-escalation vulnerabilities in Mozilla’s WebExtension API that are identified as CVE-2015-7223. There is also a critical advisory for a use-after-free (UAF) memory flaw in Firefox’s WebRTC (Real Time Communications) support, identified as CVE-2015-7210.
“Mozilla developer Kris Maglione reported a mechanism where WebExtension APIs could be used to escalate privilege,” Mozilla warns in its advisory. “Depending on the privileges of the extension used, this could result in personal information theft and cross-site scripting (XSS) attacks, including theft of browser cookies.”
The final critical advisory for Firefox 43 is for CVE-2015-7214, which Mozilla describes as a cross-site reading attack through data and view-source URIs.
While security is a big part of the Firefox 43 release, the new Mozilla browser is also noteworthy in that it is the first time that a 64-bit build is being made available for Windows operating system users. “64-bit versions of Firefox were already available for MacOS X and Linux,” Fabio Rios, Firefox product marketing manager at Mozilla, told eWEEK. “We rolled out a 64-bit Firefox for Windows to our general audience when our high standards were met.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.