Firefox 27 is out - Tuesday's second non-Patch-Tuesday update

Filed Under: Featured, Firefox, Vulnerability

Even though yesterday wasn't a Patch Tuesday, we ended up with two major browser-related updates: an unscheduled Adobe Flash patch, and an update from Firefox 26 to Firefox 27.

Adobe's update came early when the company became aware of a vulnerability that was already being exploited (a so-called zero day).

Firefox's update is an as-expected release, but it neverthless closes the door on a number of so-far unexploited vulnerabilities.

Security holes patched proactively in this way can never be zero days, at least in theory, but if you don't apply security fixes promptly when they become available, you run the risk of being hit by what might as well be a zero day: a working exploit that appeared before you had closed the hole.

Being Firefox's first update of 2014, its related Mozilla Foundation Security Advisories are conveniently numbered from MFSA 2014-01 to MFSA 2014-13, including four rated as Critical.

Those are the bugs that might have led to remote code execution, without any user interaction, if left unpatched:

Advisory ID Possibly exploitable problem addressed
MFSA 2014-01 Various memory management flaws
MFSA 2014-04 Buggy processing of images
MFSA 2014-08 More buggy processing of images
MFSA 2014-11 Crash in asm.js processing

Asm.js is Mozilla's new and specially-defined speedy subset of JavaScript that is suitable for true compilation straight to machine code, thus skipping the slower use of the JavaScript interpreter.

(The security hole wasn't a flaw in the asm.js concept itself, but rather a flaw in managing asm.js code objects.)

Mozilla has also updated its Extended Support Release (ESR) versions, applying the security patches but not the numerous new product features and non-security-related changes that went into the "spearhead" version 27.

Many organisations choose the ESR flavour of Firefox because its more conservative change schedule means sysadmins don't have to take on possibly disruptive changes in browser functionality (or website behaviour) just to stay on top of security patches.

Firefox ESR moves to version 24.3.0.

Grab the relevant version today if your browser isn't set up to do the grabbing for you...

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog