Firefox moves up to Version 25, fixes a bunch of memory mismanagement problems

Filed Under: Featured, Firefox, Vulnerability

A brief reminder for Firefox users: version 25 is out.

As usual, there are some new and tweaked features, plus a fair number of security fixes.

And, as usual, Mozilla recommends your immediate attention to the update, if you're one of those who prefers to be alerted to updates first rather than having them automatically applied:

It is strongly recommended that you apply this update for Firefox as soon as possible.

If you aren't already using Firefox you can get a copy of the latest version from the downloads page.

There are actually four updated software versions in the Mozilla stable that have received the security patches from the latest upgrade:

  • Firefox 24.0 goes to 25.0.
  • Firefox 24.0ESR (Extended Support Release) goes to 24.1ESR
  • Firefox 17.0.9ESR goes to 17.0.10ESR.
  • Thunderbird goes to 24.1.

The Seamonkey application suite is also listed as getting the fixes, moving to 2.22, but it looks as though Seamonkey users may have to wait, as the official download page [at 2013-10-30T05:45Z] still offers 2.21.

Tor Browser users will also need to keep their eye on the progress of updates, as the Firefox ESR version that ships in the Tor Browser Bundle is still at 17.0.9.

Five of the security advisories are marked in red, meaning they're critical, and can therefore possibly, or even probably, be used for implanting malware via Remote Code Execution (RCE).

All of the critical fixes involve memory mismanagement errors such as use-after-free bugs: if you're interested in the potential implications of this sort of programming flaw, you might want to check out our Anatomy of an IE Exploit series.

There are two official changes listed for Firefox 25, and both caught my eye, as they have to do with the Firefox Reset feature:

Resetting Firefox is a not-very-well-known option you can try when websites stop working properly, perhaps because of accumulated state information about your browsing so far. (So much for HTTP being a so-called stateless protocol where each request stands entirely on its own.)

If you browse to the URL about:support, you'll see the reset option:

As the change list reminds us quite clearly, a Firefox reset doesn't set you back to a state of total browsing innocence, and in Firefox 25, it seems that slightly less than before is deleted from the browser's store of information.

In particular, the reset function no longer forces an end to any current browser sessions, meaning that it leaves behind a fair amount of data about your current browser state.

Do bear this in mind, especially if you also use Safari, where the Reset option can be used to remove all browser data, effectively logging you out, removing all tracking cookies, and more.

The equivalent option in Firefox isn't Reset, but rather Clear All History, which you reach from the History|Clear Recent History menu option.

Now grab the update, and shield yourself from any potential attacks that might be found against those use-after-free bugs!

, , , ,

You might like

6 Responses to Firefox moves up to Version 25, fixes a bunch of memory mismanagement problems

  1. Where is the update link? I do not see it in this article.

    • Paul Ducklin · 709 days ago

      Click on the link to the release notes above, which will let you see what's new and changed. From that official release notes page there's one more obvious and official link to the download page :-)

      Or run Firefox, pop up the "About Firefox" window, and click the [Check for Updates] button.

  2. Peg Ventry · 709 days ago

    Thanks for the notification. I don't subscribe to Mozilla's email notifications because of their privacy policy. They collect "potentially-personally identifying information", which they share with others, including third-party contractors and foreign entities that do not necessarily guarantee the same confidentiality that Mozilla claims to provide.

    I probably wouldn't have checked the privacy policy as carefully if it weren't for Mozilla's "proudly non-profit" braggadocio, which seems more than a little hypocritical. Their officers are paid, and they have permanent full-time employees world-wide. They can't do that unless they're making lots of money.

    I don't have a problem with that. As far as I'm concerned they're entitled to all the money they earn. But it makes the whole "non-profit" thing seem somewhat duplicitous, which is what led me to scrutinize their privacy policy more closely. Sure enough, the personal information they collect isn't as secure as a superficial reading might lead you to believe. Caveat emptor.

  3. Wakefield · 708 days ago

    After updating to Firefox 25 last night Firefox will not connect to any servers! In other words no Internet on Firefox. I am on Internet now via Internet Explorer.

    Firefox 24 was working properly.

  4. Anonymous · 682 days ago

    Maybe time to look elsewhere for an Internet browser?

  5. RAM · 626 days ago

    I just updated and the memory management seems worse than ever. Firefox 26 is using over 1.2GB of memory with just a few tabs open. I'm getting ready to move on from firefox and not look back.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog