Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes

Filed Under: Android, Featured, Firefox, Vulnerability, Web Browsers

Not to be outdone by Microsoft's and Adobe's Patch Tuesday releases, Mozilla pushed out its latest browser and email client updates today.

The Firefox browser goes to 21.0, on Android as well as on desktops. (You don't install browsers on your servers, do you?)

The Thunderbird email client is only available in an Extended Support Release these days, meaning it gets regular security patches but infrequent product enhancements; it hits 17.0.6.

Microsoft's May 2013 Internet Explorer updates included two patches for which the world was waiting with bated breath - one to fix a vulnerability exposed at the 2013 PWN2OWN competition, and a second to close a much-publicised zero-day briefly found on a US government website at the end of April.

Mozilla, on the other hand, fixed its own PWN2OWN-found flaws within 24 hours, so its last two updates, 20.0 and 21.0, have been largely proactive on the security front.

This time round, there are 681 listed bug fixes, with eight separately-documented security advisories.

Three of those close multiple holes that Mozilla admits "are potentially exploitable, allowing for remote code execution."

→ Memory corruption problems, where software incorrectly writes over its own or another program's code or data structures, are not always exploitable for malicious purposes. But they are always wrong, and often dangerous, especially in browsers and email clients, which spend most of their time processing content from untrusted external sources.

Mozilla, very creditably, tends not to mince its words when dealing with bugs of this sort.

For example, in Mozilla Foundation Security Advisory 2013-41, no exploits were immediately obvious for any of the bugs fixed, leading the team to report nothing worse that than "we presume that with enough effort at least some of these could be exploited to run arbitrary code."

Nevertheless, this advisory was rated Critical.

Many users will have Firefox set to grab and deploy updates automatically; if you're one of those who don't, it's Make Your Mind Up Time!

If it helps you to decide, I just published this story in Firefox 21.0 on OS X, immediately after updating.

That's a very minor and entirely unrepresentative "test", but I'm pleased to say my plugins (including the Firebug debugger) have all behaved themselves, and I haven't had any problems.

So I think you may as well go ahead too...

, , , , ,

You might like

3 Responses to Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes

  1. Larry M · 502 days ago

    In OS X? I thought you were a Linux devotee.

    • Paul Ducklin · 502 days ago

      I'm reasonably open-minded about operating systems. (I'm on a Linux box right now, for example.)

      So I wouldn't call myself a devotee of any particular OS.

      I even used Vista once. (I mean *literally* once :-)

  2. what about [Bug 812695] [D2D] Text Rendering Issues due to Windows 7 Platform Update KB2670838 ???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog