Adobe’s update came early when the company became aware of a vulnerability that was already being exploited (a so-called zero day).
Firefox’s update is an as-expected release, but it neverthless closes the door on a number of so-far unexploited vulnerabilities.
Security holes patched proactively in this way can never be zero days, at least in theory, but if you don’t apply security fixes promptly when they become available, you run the risk of being hit by what might as well be a zero day: a working exploit that appeared before you had closed the hole.
Being Firefox’s first update of 2014, its related Mozilla Foundation Security Advisories are conveniently numbered from MFSA 2014-01 to MFSA 2014-13, including four rated as Critical.
Those are the bugs that might have led to remote code execution, without any user interaction, if left unpatched:
|Advisory ID||Possibly exploitable problem addressed|
|MFSA 2014-01||Various memory management flaws|
|MFSA 2014-04||Buggy processing of images|
|MFSA 2014-08||More buggy processing of images|
|MFSA 2014-11||Crash in asm.js processing|
(The security hole wasn’t a flaw in the asm.js concept itself, but rather a flaw in managing asm.js code objects.)
Mozilla has also updated its Extended Support Release (ESR) versions, applying the security patches but not the numerous new product features and non-security-related changes that went into the “spearhead” version 27.
Many organisations choose the ESR flavour of Firefox because its more conservative change schedule means sysadmins don’t have to take on possibly disruptive changes in browser functionality (or website behaviour) just to stay on top of security patches.
Firefox ESR moves to version 24.3.0.
Grab the relevant version today if your browser isn’t set up to do the grabbing for you…