Firefox 27 is out – Tuesday’s second non-Patch-Tuesday update


Even though yesterday wasn’t a Patch Tuesday, we ended up with two major browser-related updates: an unscheduled Adobe Flash patch, and an update from Firefox 26 to Firefox 27.

Adobe’s update came early when the company became aware of a vulnerability that was already being exploited (a so-called zero day).

Firefox’s update is an as-expected release, but it neverthless closes the door on a number of so-far unexploited vulnerabilities.

Security holes patched proactively in this way can never be zero days, at least in theory, but if you don’t apply security fixes promptly when they become available, you run the risk of being hit by what might as well be a zero day: a working exploit that appeared before you had closed the hole.

Being Firefox’s first update of 2014, its related Mozilla Foundation Security Advisories are conveniently numbered from MFSA 2014-01 to MFSA 2014-13, including four rated as Critical.

Those are the bugs that might have led to remote code execution, without any user interaction, if left unpatched:

Advisory ID Possibly exploitable problem addressed
MFSA 2014-01 Various memory management flaws
MFSA 2014-04 Buggy processing of images
MFSA 2014-08 More buggy processing of images
MFSA 2014-11 Crash in asm.js processing

Asm.js is Mozilla’s new and specially-defined speedy subset of JavaScript that is suitable for true compilation straight to machine code, thus skipping the slower use of the JavaScript interpreter.

(The security hole wasn’t a flaw in the asm.js concept itself, but rather a flaw in managing asm.js code objects.)

Mozilla has also updated its Extended Support Release (ESR) versions, applying the security patches but not the numerous new product features and non-security-related changes that went into the “spearhead” version 27.

Many organisations choose the ESR flavour of Firefox because its more conservative change schedule means sysadmins don’t have to take on possibly disruptive changes in browser functionality (or website behaviour) just to stay on top of security patches.

Firefox ESR moves to version 24.3.0.

Grab the relevant version today if your browser isn’t set up to do the grabbing for you…