Firefox 20 arrives - new version, some security improvements, no known vices

Filed Under: Featured, Firefox, Vulnerability

Firefox 20.0 was released today.

The buglist page enumerates 3054 official changes.

Despite the title buglist, these aren't all flaws that needed fixing.

The updates run from the benign-sounding bug #819202 ("attempting to open a new public window when a private window is focused opens a new private window") to enhancement #800085 ("complete gecko testing for identity SignInToWebsiteController").

Amongst this month's changes, however, are eleven patched vulnerabilities.

All of them, at least at the time of writing, are shown on the official vulnerabilities page with their Security Advisory links coloured in red, denoting a Critical impact:

Update. The colours on the Firefox vulnerabilities page have been fixed. Things now look a lot less dramatic from a security point of view! (2013-04-02T22:31Z)

Red-coloured vulnerabilities officially denote bugs that:

can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Mozilla, however, has been unkind to itself, because drilling in to each MFSA (Mozilla Foundation Security Advisory) item tells a slightly different story, with the real vulnerability severity counts as follows:

  • Critical: 3
  • High: 4
  • Moderate: 4

Bugs at the high level, usually coloured orange in Mozilla's security rainbow, aren't to be sneezed at, as they typically lead to data leakage or cross-site scripting. But they don't offer attackers RCE, or remote code execution.

And yellow-coloured moderate bugs, in Mozilla's words, would be critical or high but for the fact that they:

only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.

Additionally, one of the bugs rated critical (MFSA 2013-035) only affects Linux users who have the Intel Mesa graphics drivers installed - the rest of us can stand down from RCE alert.

Firefox 20.0 also has a couple of feature enhancements thrown in for good measure, and Mozilla seem pretty proud of these:

  • A download manager that's a little clickable arrow rather than a new browser window.
  • Per-window private browsing so you don't need to exit and restart Firefox to switch from stateful to private use.

By the way, I recommend setting Firefox to delete as much of your history as you can bear to lose (notably including cookies) whenever you exit, as it gives you that bit less to worry about next time you start up the browser.

If you use Private Browsing all the time, your "delete history on exit" settings are effectively maximised, because Firefox doesn't keep any history as you browse.

If you choose to let Firefox remember some or all your browsing history as you go along, you can use the Clear history when Firefox closes setting in the Preferences|Privacy pane to ensure your history is deliberately discarded once you exit from the Firefox application.

And lastly, there's an enhancement described as the "ability to close hanging plugins, without the browser hanging."

Mozilla refers to this as a new feature, which it may well be, though if you wanted to be unkind, you might prefer to think of it as merely overdue.

Regular readers will know I'm a Firefox early adopter, and the 20.0 update hasn't given me any surprises: my favourite add-ons still seem to work, and this article was prepared after updating.

So there you have it: new version, some security improvements, no known vices.

, , , ,

You might like

16 Responses to Firefox 20 arrives - new version, some security improvements, no known vices

  1. Luna · 533 days ago

    I liked Mozilla until about 3 months ago when my text started fraying. It is only that way in Mozilla. I had hoped with the upgrade the problem would be gone but it's not. I tried all their trouble shooting tips to no avail. So disappointing.

  2. Not sure if this is happening to anyone else. But I just installed FF 20 for OSX, and now my contextual menu is FULL of non-functional menu items. Looks like it's every choice that would conditionally be available.

    I've tried re-downloading and it hasn't helped. Is anyone else experiencing this?

    • peter · 532 days ago

      YES exactly so... copy is only on the EDIT menu !

    • Btrieve · 531 days ago

      The same thing happened on my Linux-box. I had to go back to v19.

    • In case anyone else is experiencing this: it was because of Firebug. If anyone has this problem, narrow down the culprit by disabling Extensions.

  3. Jeremy · 533 days ago

    I prefer Firefox's security features over Chromes. They always block suspicious java applets and out of date flash addons. Chrome just makes it impossible to customise security.

  4. Big D · 533 days ago

    Chrome is easy to configure securely, you just have to look at the system to understand it. It patches without further downloads, has java disabled by default and updates Flash within the browser so you don't need another standalone installation.

    It's also faster than Firefox by some margin

    • Carlos · 533 days ago

      Except that Chrome itself is spyware that monitors all your browsing activity. No person with a reasonable concern about privacy would consider using Chrome.

  5. I keep bouncing back and forth between Chrome, Firefox, Waterfox and even Advant but lately I've experienced more website/webpage display issues with Chrome then I have with Aurora, "nightly" or Waterfox. Chrome is nice with java off by default and Chrome does seem better at catching drive-by malware - or even the suspicion of hidden malware on a website, but I still use Firefox "Aurora" or "Waterfox" for 90% of my browser time

    interesting that you never cover the other Firefox variations - Aurora and Nightly. would be nice to see your comments on these as they get updated and closer to official "LIVE" status

  6. Guest · 533 days ago

    Luna, what do you mean by 'fraying', that's normally a term applied to fabric that shows signs of wear and/or distress? Do you mean the text characters are indistinct? Or blurred? I've not seen any such problem on any of 62 systems I monitor!

    I personally prefer FF as Chrome has several 'hidden' actions that you cannot prevent as there are no controls for them! The EU suspect that Google do more than they admit and there is an investigation starting about their 'privacy policy' and its wording.

  7. spryte · 532 days ago

    Just looks like stuff I've been used to having for years. In Opera.

  8. peter · 532 days ago

    Aaron Baxter with OSX

    Context Menu... on WIN ... aged ... ditto ie loads 'a LOAD of duff options.

    WELL, not surprised at that report ; indeed its like that on WINDOWS XP SP 2 (yes & dont ask) ... yet COPY is only available via EDIT !

    OK no bugs, must be imagination.
    ( This menu has wandered strangely in the past, but this time its beautiful)

  9. Cnare · 532 days ago

    I am having a terrible time with Firefox 20.0 I have downloaded it twice and still can't use it. It wants to load something and when I say yes it goes away. Then when I go to open the browser again, up it pops. I can't say NO and open my browser. Foxfire is in a mini window that I can't navigate at all. Big lettering. Just awful. I have moved over to Internet Explorer for now. Just can't take it anymore.

  10. Gabbar Singh · 525 days ago

    Right now Firefox is using ~ 20% cpu polling for some unavailable resource. The polling appears to have a VERY short throttle.

    Here's strace stats for 10 seconds:

    % time seconds usecs/call calls errors syscall
    ------ ----------- ----------- --------- --------- ----------------
    83.12 0.027540 1 22303 poll
    8.76 0.002902 0 22304 22304 recvfrom
    4.64 0.001539 0 4772 read
    3.48 0.001152 2 544 64 futex
    0.00 0.000000 0 14 write
    0.00 0.000000 0 2 open
    0.00 0.000000 0 2 close
    0.00 0.000000 0 2 fstat
    ------ ----------- ----------- --------- --------- ------------------------
    100.00 0.033133 49956 22368 total

  11. Paulo Santos · 523 days ago

    CPU problems here too. memory is 2,5GB from my 4 GB and very slow typing - the worst Firefox version of all!

  12. fbender · 482 days ago

    Anybody having problems, try to reset your Firefox profile: https://support.mozilla.org/en-US/kb/reset-firefo...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog