Firefox 23.0 is out – fixes, features and just a tiny bit of frustration

Note to Firefox fans: 23.0 is out.

As usual, the new release sorts out a number of potentially exploitable security holes, including the usual fixes denoted Miscellaneous memory safety hazards.

Generally speaking, these represent proactive patches for problems found by the Mozilla team themselves.

This is good evidence that they’re spending their time looking out for their users’ safety.

→ You will sometimes see “number of bugs found” used as an inverse metric for code quality. So when 12 bugs are squashed in Internet Explorer, but 18 in Firefox, this turns into a”Firefox is 50% worse than IE.” Beware of this sort of argument if ever you see it. Firstly, not all bugs are equal, so you can’t simply divide one bug count by another. Secondly, a product with heaps of bugs (pun intended) but no maintenance would have a bug-squashed count of zero – yet that would make it worse, not better.

Indeed, the Miscellaneous memory hazards are usually decribed by Mozilla with the words:

Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Not all vulnerabilities are exploitable, and often exploits aren’t found even for vulnerabilities that look promising to attackers.

So it’s good to see ongoing attention to correctness in memory usage even without in-the-wild vulnerability reports, especially in a browser project with a huge and complex codebase that uses and re-uses memory on a massive scale while running.

The fixes

There are four “red patches” this time around:

Those are the critical ones, where there is a likelihood, or at least a possibility, of remote code execution.

The feature

Firefox 23.0 also introduces a new security feature, called Mixed content blocking, that is more aggressive about handling pages containing both secure (HTTPS) and insecure (HTTP) parts.

You’d think that blocking any website that worked this way would be a good way to go, but the practice of mixing content is more widepsread than you might think.

One problem many organisations find when enabling HTTPS is that web caching by content delivery networks (CDNs) becomes harder, since the same file is delivered differently-encrypted every time.

One way around this dilemma is to serve potentially private content via HTTPS, but serve consistent and impersonal web objects (e.g. images such as logos, icons and buttons) as HTTP to save bandwidth and processing time.

Firefox 23.0 tries to differentiate between what it calls “Mixed Passive Content,” where HTTP objects like images are unexceptionally permitted in the middle of HTTPS pages, and “Mixed Active Content,” where HTTP objects that might be able to peek at HTTPS content are blocked.

Here’s a secure page that sources an insecure image, where the Mixed Content Blocker (MCB) has stayed out of the way:

And here’s a similar page that sources some JavaScript from an insecure site, where the MCB has changed the address bar to denote unobtrusively that the insecure script content has been suppressed:

You can click on the split-shield icon to find out more, though sadly not a lot more:

You can learn more about the Mixed Content Blocker from Mozilla’s blog, and report sites that cause problems for it via special Mozilla bug number 844556.

The frustration

There’s only one real annoyance in 23.0, at least as far as I am concerned: the “Always show the tab bar” option, allowing you to suppress the tab bar when only one tab was open, has been removed from the Preferences menu.

Even the under-the-hood setting browser.tabs.autoHide, previously tweakable via about:config, is no longer honoured, so you get the tab bar all the time even if you don’t want it.

Presumably, most people spend most of their time with multiple tabs open (as do I, if the truth be told) and therefore this option was considered redundant, so I suppose I shall just have to get used to it.

The “Load images automatically” option is gone, too: it seems you’ll get images automatically whether you like it or not.

If you don’t like being on the bleeding edge, you can always use the Extended Support Release (though Mozilla works hard to talk you out of downloading it for home), but the download page is still at 17.0.7esr, which doesn’t contain the security fixes that went into 23.0

You’ll have to wait for 17.0.8esr for that.