Firefox 20 arrives – new version, some security improvements, no known vices


Firefox 20.0 was released today.

The buglist page enumerates 3054 official changes.

Despite the title buglist, these aren’t all flaws that needed fixing.

The updates run from the benign-sounding bug #819202 (“attempting to open a new public window when a private window is focused opens a new private window”) to enhancement #800085 (“complete gecko testing for identity SignInToWebsiteController”).

Amongst this month’s changes, however, are eleven patched vulnerabilities.

All of them, at least at the time of writing, are shown on the official vulnerabilities page with their Security Advisory links coloured in red, denoting a Critical impact:

Update. The colours on the Firefox vulnerabilities page have been fixed. Things now look a lot less dramatic from a security point of view! (2013-04-02T22:31Z)

Red-coloured vulnerabilities officially denote bugs that:

can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Mozilla, however, has been unkind to itself, because drilling in to each MFSA (Mozilla Foundation Security Advisory) item tells a slightly different story, with the real vulnerability severity counts as follows:

  • Critical: 3
  • High: 4
  • Moderate: 4

Bugs at the high level, usually coloured orange in Mozilla’s security rainbow, aren’t to be sneezed at, as they typically lead to data leakage or cross-site scripting. But they don’t offer attackers RCE, or remote code execution.

And yellow-coloured moderate bugs, in Mozilla’s words, would be critical or high but for the fact that they:

only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.

Additionally, one of the bugs rated critical (MFSA 2013-035) only affects Linux users who have the Intel Mesa graphics drivers installed – the rest of us can stand down from RCE alert.

Firefox 20.0 also has a couple of feature enhancements thrown in for good measure, and Mozilla seem pretty proud of these:

  • A download manager that’s a little clickable arrow rather than a new browser window.
  • Per-window private browsing so you don’t need to exit and restart Firefox to switch from stateful to private use.

By the way, I recommend setting Firefox to delete as much of your history as you can bear to lose (notably including cookies) whenever you exit, as it gives you that bit less to worry about next time you start up the browser.

If you use Private Browsing all the time, your “delete history on exit” settings are effectively maximised, because Firefox doesn’t keep any history as you browse.

If you choose to let Firefox remember some or all your browsing history as you go along, you can use the Clear history when Firefox closes setting in the Preferences|Privacy pane to ensure your history is deliberately discarded once you exit from the Firefox application.

And lastly, there’s an enhancement described as the “ability to close hanging plugins, without the browser hanging.”

Mozilla refers to this as a new feature, which it may well be, though if you wanted to be unkind, you might prefer to think of it as merely overdue.

Regular readers will know I’m a Firefox early adopter, and the 20.0 update hasn’t given me any surprises: my favourite add-ons still seem to work, and this article was prepared after updating.

So there you have it: new version, some security improvements, no known vices.