While customers have gotten into a rhythm with Microsoft’s Patch Tuesday cycles, sometimes that can lead to oversights when patches are released by other vendors. Often touted as a “more secure” alternative to Internet Explorer, the latest version of Firefox has its own share of vulnerabilities, and Mozilla just released updates to resolve fourteen issues.
Of the 14 security advisories Mozilla has released that address the latest Firefox version, five of them are rated as critical. Mozilla defines critical as a “vulnerability [that] can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” Here are the high-level summaries of them all with links to Mozilla’s specific advisories.
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Two of the security issues were discovered in cooperation with Blackberry, while a third was discovered by security researchers at Google. The certificate issue (117) is also being addressed by Microsoft, with the invalidation of the trusted root CA in the operating system store. However, Firefox uses its own store rather than relying upon the operating system, so even if you addressed this with Microsoft updates, you will need to patch Firefox separately.
Both “use-after-free” issues (108, 109 and 114) are very important to address, as they involve memory reuse and could lead to execution of malicious code. All users are encouraged to update their browsers as soon as possible. To update an existing install you can
1. At the top of the Firefox window click the Firefox button, go over to the Help menu and select About Firefox.
2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically. Update Win1 Fx14
3. When the updates are ready to be installed, click Restart to Update.
Or you can reinstall Firefox to get the latest version by downloading and installing from https://www.mozilla.org/en-US/firefox/all/.
Mozilla released Firefox 26 in beta last month, and this new release included a paradigm shift in its approach to plug-in security. Starting with Java, Firefox no longer enables the plug-in to automatically load and run when content on a website requires it. Instead, Firefox is starting to deploy something called “Click-to-Play” which requires explicit user action before a plug-in will load. Initially this only restricts Java, but is likely to expand to other third-party functionality including Flash, PDF readers, and more. The Firefox team has indicated that there may also be a white-list approach to enabling some plug-ins by default in future releases.