Sometimes I wonder if the folks over at Mozilla Security are trying to embarrass me.
When I wrote about the new zero-day in Internet Explorer yesterday, I recommended IE users consider using Firefox as an alternative until a patch is available.
Today Mozilla has released Firefox 24.0 (as well as SeaMonkey and Thunderbird 24.0) fixing 17 vulnerabilities.
The bad news? Seven of these vulnerabilities are rated critical, four moderate and six low.
The good news? Mozilla has already released the fixes, so there is no reason to worry about mitigation techniques and “Fix its”.
Firefox 24.0 isn’t just a security roll-up. Mozilla has improved the performance, added more modern scrollbars on OS X and numerous other changes.
Reading through the security fixes it does not appear that any of these flaws are being actively exploited in the wild.
That could change at a moment’s notice.
Once the bugs are publicly known malicious coders will often look to see which of them may be easily exploited to use against people who fall behind on their patching.
If you want to learn more about remote code execution, information disclosure, denial of service and elevation of privilege flaws, why not give the latest Sophos Techknow a listen?
In 15 minutes Paul Ducklin and I try to explain what all of this vulnerability jargon means in a useful manner to IT administrators.
(18 September 2013, duration 15’08”, size 9.1MB)