Firefox 22.0 closes a modest bunch of not-yet-exploited holes

Filed Under: Featured, Firefox

Here's a brief note just to remind you that Mozilla's Firefox 22.0 is out, as expected.

As usual, there's a handy mixture of important-sounding security fixes and some interesting new features.

This time there are 14 listed Mozilla Foundation Security Advisories, of which four are at Red Alert (critical level) and six at Orange Alert (high level).

High usually means some sort of data leakage bug or cross-site scripting problem; critical usually means that a crook can, in Mozilla's words, "run attacker code and install software, requiring no user interaction beyond normal browsing."

Critical fixes

If you would like to drill down into the official Mozilla Foundation Advisories (MSFAs) for the four critical fixes, they are:

MFSA 2013-49 Miscellaneous memory safety hazards
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-53 Execution of unmapped memory in onreadystatechange event

The ominous sounding "memory safety hazards" mentioned in MFSA 2013-49 refer to behaviours in which the content of Firefox memory is known to be modified incorrectly.

That doesn't mean there will inevitably be an exploitable remote code execution flaw, but for a would-be attacker, it's certainly a good place to start looking.

New features

Three new features caught my eye.

WebRTC (real time communication) is enabled by default.

This is a set of JavaScript programming features that let you create services such as video chat right in the browser, using embedded JavaScript - no need for a plugin.

A new Services tab appears in under Tools|Add-ons.

Add-on modules specific to what Facebook calls "social services management" will apparently appear here. (No, I don't know quite what this means, but I imagine add-ons that help you send tweets or Like things on Facebook will now be found grouped together here.)

A font inspector is built into the Web Developer tools.

Have you ever liked a font on a web page and wanted a really quick way to identify it?

Now, if you go to Tools|Web Developer|Inspector, you'll see a Fonts tab in the bottom right of the screen that will help you do just that.

Verdict

It hasn't been out long, but I installed Firefox 22.0 almost immediately, and haven't noticed any unwanted changes or problems caused by updating.

There don't seem to be any in-the-wild reports of exploits against any of the potentially exploitable critical vulnerabilities listed above, which might persuade some of you to wait before upgrading.

On the other hand, why wait and risk an easily-preventable disaster?

, , , , , ,

You might like

10 Responses to Firefox 22.0 closes a modest bunch of not-yet-exploited holes

  1. Pity firefox still can't provide a linux installer.

    • Download. Decompress. Run. It's a lot easier than an installer!

    • Lucas A. Dohring · 452 days ago

      yum install firefox #fedora, redhat, centos
      emerge firefox #gento, sabayon
      apt-get install firefox #ubuntu, debian with other sources.list

    • Paul Ducklin · 450 days ago

      The Linux installer isn't 1,000,000 miles away from a Mac-style DMG download. (DMG is a disk-style container, where .tgz is a ZIP-style container.)

      There's a lot to be said for an "installer" that simply involves copying a directory tree containing everything you need to wherever you like. Means you can be fairly sure, when uninstall time comes along, that there isn't any ancillary tat like drivers, libraries and other components that need removing from somewhere else on the disk to restore the *status quo ante*. In fact, you then don't need an uninstaller - you just delete the directory tree.

      OS X's DMG solution is slightly more elegant as you can usually just open the DMG and run the app straight from the mounted DMG filesystem.

      But you can still think of self-contained .tgz application distros as "installers that don't actually even need installing." For applications that don't need libraries and drivers installed system-wide, this is a very elegant approach.

  2. 123 · 452 days ago

    "A new Services tab appears in under Tools|Add-ons.

    Add-on modules specific to what Facebook calls "social services management" will apparently appear here. (No, I don't know quite what this means, but I imagine add-ons that help you send tweets or Like things on Facebook will now be found grouped together here.)

  3. Ruthann Biel · 452 days ago

    I am getting two errors every time I open a new window. ~sigh~

  4. Rookie · 452 days ago

    Gotta love Firefox :)

  5. Woundup · 452 days ago

    I get an error every time i click on anything. " Error:Illegal operation on WrappedNative Prototype object" I have never gotten this error message before since 2003, however i read where some people have experienced this going back to 2007. I went back and reinstalled FF 21, maybe FF 22 is in beta?

  6. gene · 451 days ago

    There are TONS of issues with version 22, error messages, had to reset entirely and re add addons one at a time. FF now has that infernal scroll ball, Chrome uses, to no purpose whatsoever as it more annoying than helpful. This is easily the worst "upgrade" they've made. Don't believe me? Go to their feedback page, complaints are rolling in every four seconds.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog