Firefox 22.0 closes a modest bunch of not-yet-exploited holes


Here’s a brief note just to remind you that Mozilla’s Firefox 22.0 is out, as expected.

As usual, there’s a handy mixture of important-sounding security fixes and some interesting new features.

This time there are 14 listed Mozilla Foundation Security Advisories, of which four are at Red Alert (critical level) and six at Orange Alert (high level).

High usually means some sort of data leakage bug or cross-site scripting problem; critical usually means that a crook can, in Mozilla’s words, “run attacker code and install software, requiring no user interaction beyond normal browsing.”

Critical fixes

If you would like to drill down into the official Mozilla Foundation Advisories (MSFAs) for the four critical fixes, they are:

MFSA 2013-49 Miscellaneous memory safety hazards
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-53 Execution of unmapped memory in onreadystatechange event

The ominous sounding “memory safety hazards” mentioned in MFSA 2013-49 refer to behaviours in which the content of Firefox memory is known to be modified incorrectly.

That doesn’t mean there will inevitably be an exploitable remote code execution flaw, but for a would-be attacker, it’s certainly a good place to start looking.

New features

Three new features caught my eye.

WebRTC (real time communication) is enabled by default.

This is a set of JavaScript programming features that let you create services such as video chat right in the browser, using embedded JavaScript – no need for a plugin.

A new Services tab appears in under Tools|Add-ons.

Add-on modules specific to what Facebook calls “social services management” will apparently appear here. (No, I don’t know quite what this means, but I imagine add-ons that help you send tweets or Like things on Facebook will now be found grouped together here.)

A font inspector is built into the Web Developer tools.

Have you ever liked a font on a web page and wanted a really quick way to identify it?

Now, if you go to Tools|Web Developer|Inspector, you’ll see a Fonts tab in the bottom right of the screen that will help you do just that.


It hasn’t been out long, but I installed Firefox 22.0 almost immediately, and haven’t noticed any unwanted changes or problems caused by updating.

There don’t seem to be any in-the-wild reports of exploits against any of the potentially exploitable critical vulnerabilities listed above, which might persuade some of you to wait before upgrading.

On the other hand, why wait and risk an easily-preventable disaster?