Firefox 23.0 is out - fixes, features and just a tiny bit of frustration

Filed Under: Featured, Firefox, Web Browsers

Note to Firefox fans: 23.0 is out.

As usual, the new release sorts out a number of potentially exploitable security holes, including the usual fixes denoted Miscellaneous memory safety hazards.

Generally speaking, these represent proactive patches for problems found by the Mozilla team themselves.

This is good evidence that they're spending their time looking out for their users' safety.

→ You will sometimes see "number of bugs found" used as an inverse metric for code quality. So when 12 bugs are squashed in Internet Explorer, but 18 in Firefox, this turns into a"Firefox is 50% worse than IE." Beware of this sort of argument if ever you see it. Firstly, not all bugs are equal, so you can't simply divide one bug count by another. Secondly, a product with heaps of bugs (pun intended) but no maintenance would have a bug-squashed count of zero - yet that would make it worse, not better.

Indeed, the Miscellaneous memory hazards are usually decribed by Mozilla with the words:

Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Not all vulnerabilities are exploitable, and often exploits aren't found even for vulnerabilities that look promising to attackers.

So it's good to see ongoing attention to correctness in memory usage even without in-the-wild vulnerability reports, especially in a browser project with a huge and complex codebase that uses and re-uses memory on a massive scale while running.

The fixes

There are four "red patches" this time around:

Those are the critical ones, where there is a likelihood, or at least a possibility, of remote code execution.

The feature

Firefox 23.0 also introduces a new security feature, called Mixed content blocking, that is more aggressive about handling pages containing both secure (HTTPS) and insecure (HTTP) parts.

You'd think that blocking any website that worked this way would be a good way to go, but the practice of mixing content is more widepsread than you might think.

One problem many organisations find when enabling HTTPS is that web caching by content delivery networks (CDNs) becomes harder, since the same file is delivered differently-encrypted every time.

One way around this dilemma is to serve potentially private content via HTTPS, but serve consistent and impersonal web objects (e.g. images such as logos, icons and buttons) as HTTP to save bandwidth and processing time.

Firefox 23.0 tries to differentiate between what it calls "Mixed Passive Content," where HTTP objects like images are unexceptionally permitted in the middle of HTTPS pages, and "Mixed Active Content," where HTTP objects that might be able to peek at HTTPS content are blocked.

Here's a secure page that sources an insecure image, where the Mixed Content Blocker (MCB) has stayed out of the way:

And here's a similar page that sources some JavaScript from an insecure site, where the MCB has changed the address bar to denote unobtrusively that the insecure script content has been suppressed:

You can click on the split-shield icon to find out more, though sadly not a lot more:

You can learn more about the Mixed Content Blocker from Mozilla's blog, and report sites that cause problems for it via special Mozilla bug number 844556.

The frustration

There's only one real annoyance in 23.0, at least as far as I am concerned: the "Always show the tab bar" option, allowing you to suppress the tab bar when only one tab was open, has been removed from the Preferences menu.

Even the under-the-hood setting browser.tabs.autoHide, previously tweakable via about:config, is no longer honoured, so you get the tab bar all the time even if you don't want it.

Presumably, most people spend most of their time with multiple tabs open (as do I, if the truth be told) and therefore this option was considered redundant, so I suppose I shall just have to get used to it.

The "Load images automatically" option is gone, too: it seems you'll get images automatically whether you like it or not.

If you don't like being on the bleeding edge, you can always use the Extended Support Release (though Mozilla works hard to talk you out of downloading it for home), but the download page is still at 17.0.7esr, which doesn't contain the security fixes that went into 23.0

You'll have to wait for 17.0.8esr for that.

, , , , , ,

You might like

14 Responses to Firefox 23.0 is out - fixes, features and just a tiny bit of frustration

  1. Valerie · 788 days ago

    The only upgrade I want from FF is either a better spell check or to be able to use Google spell check. Google understood me. FF does not understand anything I try to type :(

    OK I know this isnt the place for this but I need to vent! :D

  2. daniellynet · 788 days ago

    I am a FF beta user so I've had this update for quite a while.

    I ended up disabling the mixed content blocking because it broke some sites I used frequently.

    I'll use Flickr as an example.
    I had to disable the mixed content blocking feature on every single picture I wanted to favorite.
    It gets extremely tiresome in the process, and until they make you able to disable it per site it will remain disabled for me.
    Yes, I did write them some feedback requesting that feature, but I don't think they'll add that feature anytime soon. :/

  3. howie · 788 days ago

    Just read your review, I share your frustration with not being able to hide the tab when I only have one tab open. I too use multiple tabs frequently, but Not all the time. I haven't seen FF23, I guess the tabs are on top too a la MS Office, Not sure of the reasoning to change and drop this FEATURE. FF comes with tabs always showing by default and one had to go into preferences to change it to hide tabs when only a single tab is open. I would rather see Mozilla work on getting FF to be as bug free as possible. FF maybe a P.I.A. for my mobile device if it forces images to be downloaded and displayed. For folks like me who are on a smaller data plan, it could push up the data usage up. (just like the time SIRI caught iphone users).

  4. They fixed the bug that caused people who use blink tags to be incredibly annoying, by removing blink support.

  5. spidersilk · 788 days ago

    I just upgraded to Firefox 23, and have found one HUGE annoyance, although the Flash player was also updated at the same time, so I'm not sure which accounted for this: now if I right-click anywhere on a web page, no matter what element I've clicked on, I get ALL the possible right-click commands, including those you'd normally get only if you clicked on a link, only if you clicked on an image, only if you clicked on a Flash element, etc. So the right-click menu is now massively long... And none of the menu items actually work. Regardless of what I choose in the right-click menu, nothing ever happens.

    Considering I normally right-click to open windows in new tabs dozens of times a day, and also regularly use the Inspect Element with Firebug menu item (I'm a web developer), this is incredibly annoying.

    • Richard · 787 days ago

      I've just updated and the context menu looks fine to me. From what I've seen, this sometimes happens when you have a pending update to an extension - particularly Firebug. Try restarting the browser again to see if the issue goes away.

    • geode · 787 days ago

      I just updated (or 'got updated' as it were), and tested for the behavior you describe. Right-click menu still works the same for me, no change to the length of the list, and items do work (tested Open Link in New Tab & Inspect Element w/ Firebug, both work correctly).
      I'm running Windows 7 Pro. Hope this is useful to you.

    • **EJ** · 787 days ago

      I updated to 23.0, and do not have this issue w/ right click commands not properly interpreting what you right clicked on.

    • If you keep having issues, a profile reset may work wonders:

  6. M.E. · 787 days ago

    "potentially-exploitable security holes"

    "potentially-private content"

    *do not hyphenate after an adverb

    • Paul Ducklin · 787 days ago

      Hyphenation "laws" (and practices) vary quite a lot between British, American and Australian English.

      But I like your way. I am a bit wedded to hyphens, and probably ought to wean myself off them. I'll change it.

  7. Bolek · 787 days ago

    I'd like to use ESR instead of the regular release for multiple reason. So how does the ESR security compare to the regular release? They say:

    Maintenance of each ESR, through point releases, is limited to high-risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities. Backports of any functional enhancements and/or stability fixes are not in scope.

    Mozilla will backport security bugs qualified as "Critical" and "High" to the ESR where feasible (there may be cases where a backport cannot be applied with reasonable effort, and those cases are expected to be exceptional). Other security and stability backports to the ESR will be included at Mozilla's discretion.

    The ESR will not have the benefit of large scale testing by nightly and beta groups. As a result, the potential for the introduction of bugs which affect ESR users will be greater, and that risk needs to be understood and accepted by groups that deploy it. To help mitigate these risks, Mozilla will be asking organizations that deploy the ESR for assistance with testing alpha and/or beta builds of the ESR with their user base.

    Over time the ESR will be less secure than the regular release of Firefox, as new functionality will not be added at the same pace as Firefox, and only high-risk/impact security patches will be backported. It is important that organizations deploying this software understand and accept this.

  8. DMT · 780 days ago

    After going on 23, now the pages I want are not loading. I have to use IE8 to get them. That is annoying.

  9. eNdEmiOn · 777 days ago

    Ridiculous removing the option to not show the tab bar. Ridiculous that I have to resort to using an add-on to get back regular functionality.

    Why would you need tabs anyway? You already have a bar for managing your windows THE TASKBAR!!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog