Firefox 31 has arrived - 11 bulletins, 3 critical, 0 visual surprises

Filed Under: Featured, Firefox, Vulnerability

Firefox 31 is out.

So is its updated conservative older brother, the Extended Support Release, now at 24.7.

And Firefox's email-oriented cousin Thunderbird gets updated, too.

Thunderbird also goes to versions 31 and 24.7.

The elevator pitch from a security point of view is:

  • 11 security bulletins
  • 3 critical
  • 5 high
  • 2 moderate
  • 1 low

Low-rated vulnerabilities, which don't even get a colour code, are fairly rare in the Mozilla stable, and involve "minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs."

Loosely speaking, you can think of them as security holes that a crook is very unlikely to be able to turn to your financial disadvantage.

Nevertheless, this month's low-security patch, MFSA2014-60, gives an interesting insight into the esoteric nature of bug hunting.

MSFA2104-60 also reminds us that bugs that might have been identified as little more than display-related annoyances a few years ago are today considered security holes in the their own right.

The bug doesn't sound like much - as Mozilla's bulletin puts it, an attacker has "a limited ability to move UI icons within the visible window."

But Mozilla has recognised that even just messing around with the workflow of a website - for example one that involves financial transactions, changing privacy settings, or publishing content - can have security implications by tricking you into taking an action that you later realise wasn't what you intended.

It's easy to blame the user for that sort of mistake, on a sort of caveat emptor basis, but here's an experiment that might convince you otherwise, assuming you are a left-to-right language user:

  • Start a sequence of dialogs that you are entirely familiar with and will recognise even if you can't read the text they contain.
  • Switch to Hebrew, Arabic or any other right-to-left language.
  • See how tricky it is, even concentrating hard, just to get from dialog to dialog now that the buttons are reversed.

High and critical bugs

This update also has a number of high-rated vulnerabilities, such as buffer overflows and use-after-free flaws, that are documented as "potentially exploitable."

We'd usually expect that sort of bug to get a Critical rating from Mozilla; the developers aren't saying why they consider them only High this time round.

The critical bugs are of a similar type; presumably the Mozilla experts consider that, if attackers had discovered the bugs, they'd be more easily able to weaponise.

That's where you work out how to trigger a vulnerability that causes a crash in such a way that the crash doesn't simply pop up a "this program has done something bad and terminated" error, but actually drops executable control into your lap.

Of course, any vulnerability that can reliably trigger a crash can be used to cause a Denial of Service (DoS), so it's bad by definition.

But going from DoS to RCE (remote code execution) is often much harder than it sounds.

It's a bit like the difference between using explosives to demolish an old building, and blowing up the building so that a predetermined brick drops cleanly and unbroken into a bucket placed at a predetermined spot.

As usual, although the bugs are shared between Firefox and Thunderbird, the risks posed by many of the vulnerabilities rely on JavaScript shenanigans, so they are less likely to be exploited via email, because scripting is off by default when Thunderbird displays messages.

What more can we say?

We've updated, and everything (including our plugins) still seems to be working just fine, with no visual surprises like we had in Firefox 29.

Indeed, for what it's worth, this article was published using FF 31.0.

So we suggest that you update, too.

Oh, and whether you are a Firefox user or not, why not vote in our Which Browser Do You Trust The Most poll?

, , , , ,

You might like

6 Responses to Firefox 31 has arrived - 11 bulletins, 3 critical, 0 visual surprises

  1. PJ · 100 days ago

    I am being bad, I know, but I just don't like the layout since FF 29 was introduced. There was nothing wrong w/ the original layout.......and there is a convenience to the previous browser layout. So I have fallen behind. I read 'horror' stories re: plug-ins that didn't work and people frustrated trying to learn and adjust to the new layout.....

    • 0x003 · 99 days ago

      you may use Classic Theme Restorer Extension from FF

    • Laurence Marks · 99 days ago

      Ummm, why don't you just drop back to 24.7 from 29. It's supported and is getting all the latest fixes.

  2. Gene Jacobson · 99 days ago

    Shortly after installing FF 29, I rolled it back to 28 and began shifting my browsing to Pale Moon, which I now use exclusively and which, by the way, promises never to do what FF did with version 29.

    • Paul Ducklin · 99 days ago

      It seems to follow Firefox Extended Support Release, except that it hasn't updated to 24.7 yet.

      I admit, I didn't like the look of FF 29 at first. But it was quickly obvious that it was much, much more similar than it was different, if you know what I mean. Now, I have to admit that if you asked me to describe the differences, except for the tabs that are Chrome-like, not native Mac-like, and thus stand out as "different," I couldn't do it. Is it less reliable? No. More reliable? No. Faster? No. Slower? No. Harder to use? No. Easier to use? No. Is it actually, really, in any meaningful way different? It is not. So I relaxed.

      It's a bit like riding someone else's bicycle. Lots of differences and it's a bit weird at first, but, for all that, most things are the same. Like, the harder you pedal the faster you go. And after 10km, heck, it feels like...well, like riding a bicycle, even if you think his fancy new gear shifters are a bit of a show-off.

  3. zeke · 98 days ago

    thats a question i've been occupied with: which is the securest browser?

    FF 31's score in browserscope is not as high as Chrome's (16 out of 17) and Opera's (16 out of 17 tests).

    If you add noscript, FF 31 (seemingly) becomes just as good but this add-on requires significant inputs, interrupting an otherwise tranquil web surf.

    also: it seems that FF is more updated for security fixes than chrome or opera. what does that mean? don't really know but i suspect that such recurring updates mean that there is something wrong with the underlying
    code structure. am i correct in my assumption, Paul????

    furthermore, i've read an online paper that claims that add-ons can be detrimental to browser security. don't know if it is true or false but...one does not want to take chances when banking(which is not my case since i am bankrupt lol :) or emailing tarty novels....

    FF 31 incorporated google's malware detection but big G did not provide documentation...a bit sad really. security is a public good, after all.

    i believe that chrome + opera are the safest browsers but that is just a layman's opinion.

    best wishes
    zeke

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog