Firefox 29 is out - it's more secure, but does it *look* better, too?

Filed Under: Featured, Firefox, Security threats, Vulnerability

Firefox 29 is out, in accordance with Mozilla's regular Tuesday-based 42 day update cycle.

There are numerous security fixes combined with some rather in-your-face visual changes.

For those who prefer their security patches quickly but their feature updates more slowly, Firefox 24.5.0 Extended Support Release is also available.

The security patches include a number of critical updates to close potential remote code execution holes.

That's the sort of bug that could allow a crook to infect your computer merely by getting you to click through to a website containing booby-trapped content, bypassing any dialog boxes to ask if you're sure you want to download or run a file.

The red entries in the list below are the ones that should convince to to update sooner rather than later, assuming you haven't chosen to give control over updates to Firefox itself:

You'll see the phrase use-after-free several times.

That's where a programmer hands back (frees) a temporary block of memory so the operating system can re-allocate it, after which the contents of that memory can no longer be trusted.

But then the programmer continues to use the data stored in that memory block, even though it could by now have been altered by another part of the program.

Now imagine that attackers can arrange a sequence of operations, for example with some cunningly-crafted JavaScript, causin external (untrusted) data to wind up in a memory block that is used after it is freed.

They may thereby be able to trick your browser into misbehaving in ways that don't merely cause it to crash, but instead cause it to carry out unauthorised operations.

Usually, that means potential remote code execution, which is why this sort of bug almost always gets a "critical" rating.

But what about the bugs that aren't critical?

It turns out that there are a couple of other bugs patched in this update that are handy reminders of the sort of vigilance that security-conscious programmers needs to maintain.

MFSA 2014-35, for example, is a privilege escalation bug in the Mozilla Maintenance Service.

Ironically, that's the background process, on Windows verions of Firefox, that prevents you being hassled by UAC (User Account Control) prompts during an automatic update.

As you can imagine, this sort of service needs system-level privileges, so crooks who have already found a way into your computer (whether through a Firefox bug or not) could use the next Firefox update as a way to boost their powers on your system.

And MFSA 2014-40 is a fault in how Firefox on Android manages its display.

The bug means that once the address bar has scrolled off the top of the screen on your Android device, a devious web page could use JavaScript to stop it reappearing.

In other words, when you scrolled back to check where you were, a crook could show you a fake address bar - perhaps even tricking you into thinking you have an HTTPS connection to a genuine site.

That might not sound like much of a flaw, and indeed Mozilla has only rated it "moderate" in severity.

But we have it as an article of security faith that the address bar is part of the browser than cannot be subverted or re-written by a remote website.

So this sort of loophole could be very valuable as one part of an attacker's subterfuge.

And the new visuals in Firefox 29, shown below in comparison to the old look in Firefox 24.5.0 ESR?

The jury is out, at least at Naked Security.

One of us, an OS X-using backslider from Firefox, remarked that it "looked way cool" and was enough for him to consider moving back into the Mozilla camp.

And another of us, a long-term Firefox-on-Mac fan, remarked that he might as well jump ship to Google's Chromium browser, now he's forced to have those space-sapping curvy tabs just where he thinks they shouldn't be in an OS X application.

For now, between 29.0 and the ESR flavour, you get to choose your visual style.

Just make sure you've got the latest version of either sort, for security's sake.

, , , , , , ,

You might like

35 Responses to Firefox 29 is out - it's more secure, but does it *look* better, too?

  1. Dave Lewis · 522 days ago

    I'd be careful with backtracking to the ESR release mid cycle You might see erroneous behaviour. Whilst it still has all of the security updates it doesn't have all of the features. You'll for all intents and purposes be downgrading your installation, but your profile or addons from the 'newer version' may be referencing features that are not ready or simply not present, causing problems or (probably being a bit tin foil hat here) even be exploitable.

    Creating a new profile from scratch using the profile manager after you move to ESR mid cycle is probably the most sensible course of action.

  2. Alan · 522 days ago

    > now he's forced to have those space-sapping curvy tabs just where he thinks they shouldn't be in an OS X application

    No he's not - the default option is to have them, but like pretty much anything in Firefox, this can be customised. If you want FF29 to look like FF28, then it's possible - it even tells you how to do this in the introductory window that appears on first launch.

    (Yes, I know about 0.00002% of people actually read those :-) )

  3. Luc D. · 522 days ago

    I installed Firefox 20.0 + the "Classic Theme Restorer" add-on.
    Now, the "required" and "pattern" clauses of all HTML5 forms are simply ignored (as long as "Classic Theme Restorer" remains active) !

  4. Outfoxed · 522 days ago

    Use the Add-on "Classic Theme Restorer" seems to be the way to undo those bits of the new look that you don't like.

    • David · 522 days ago

      Outfoxed, I tried "Classic Theme Restorer" and it helped 'some' but it won't move the address window (box) back to the top of the page.

    • bob · 522 days ago

      Shame we have to jump through hoops to de-Chromeify Firefox every few version updates.

  5. Anonymous · 522 days ago

    It looks horrible.

  6. Mark · 522 days ago

    It looks HORRIBLE! Had to go back to 28 and turn off auto-updates for now.

  7. Firefox still reports that my Java plugins are out of date and vulnerable, even though the Java site says I'm running the latest version and have no old versions installed. Although they now acknowledge the error, they still haven't fixed it.

  8. Sue Horwood · 522 days ago

    I'm definitely not happy with the changes. Found a Mozilla page that tells us how to put the browser tabs back where I feel they belong, here is the link

    Only problem is, that the solution they give is not an option. In my about:config the - browser.tabs.onTop - option does not exist.

    Am off to download the add-on to make 29 look like 28 and regain the bottom add-on bar and hopefully the yellow star that tells me if I have already bookmarked the web page I'm viewing.

    • Anonymous · 522 days ago

      Go to add on and find classic theme (or classic theme restorer) and you will find it when you install the add on.
      It was the same thing with the change from windows xp to windows 7. It takes a while to get used to. When you have the classic theme you can customize firefox as you like

  9. Patricia Lamagno · 522 days ago

    So, at this point is Firefox or Google Chrome the best?

    • Vito · 521 days ago

      "So, at this point is Firefox or Google Chrome the best?"

      Neither. I'm afraid that the folks at Mozilla have lost their way. And Chrome is intrusive beyond reason. Chromium is less so — it has the advantages of Chrome without as much of the Google baggage.

      Alternatively, try Seamonkey, which still remains true to the spirit of the original Netscape Communicator and Mozilla Suite.

  10. Thomas · 522 days ago

    While we're talking of Firefox here, I'm wondering if anyone can tell me why Firefox keeps stalling and giving me a byline at the top of the screen saying "Mozilla Firefox - Not Responding". I also often get a warning "Unresponsive script", in a new window centered on the screen, giving me the option to 'Continue' or to 'Stop Script'. The last time "Unresponsive script" appeared, just moments ago after installing Firefox 29, the script identified was "chrome://wrc/content/common/scripts/bal.js:854"

    I've been putting off doing a clean install of Win7 and all the time consuming tasks associated with that, hoping for a reasonable explanation and possible simple fix.

    Any help will be deeply appreciated.

    • Anonymous · 521 days ago

      I would create a new profile before reinstalling Windows. Much quicker.

  11. Lance · 522 days ago

    Will stay with 28 until I die.

  12. Stevey · 521 days ago

    I've just had my tea

  13. Giorgio · 521 days ago

    It was the same with the change of windows XP to windows 7. In firefox you can customize your look that you can get similar look as firefox 28. I have been using chrome so for me it is good that you yourself can do this.

  14. Joe F. · 521 days ago

    I had everything the way I liked it. Now I don't. I also added "Classic Theme Restorer" and it helps but not completely. And you can, if not careful, add an add-on bar and an addon bar. Not only can I not have my add-on bar the way I like it, the process of adding and deleting icons to toolbars is inconsitent and does not always work. I am not happy. I was happy running 28 on Ubuntu.

    • Anonymous · 519 days ago

      I whiolly agree with Joe. I'm on OpenSUSE and experiencing the same thing. The "Classic" extension does SOME things - but not much more. The height of the tabs is too high (cannot be changed) and so I only get 1.75 rows visible at a time instead of the two I had before. I wish instead of FORCING us to take this Austrais UI - they gave us a OPTION to have it IF WE WANTED (I **VIGORUSLY** DO NOT).

  15. Anonymous · 521 days ago

    Really enjoying the new, highly customizable UI.

    • David · 519 days ago

      "Really enjoying the new, highly customizable UI".

      I bet you work for Mozilla.

      • Anonymous · 519 days ago

        I wholly agree! ANYONE who says this (usability) is better than previous versions MUST work for Mozilla! I'm sure the security features are needed - but many of us have our browsers JUST THE WAY **WE** WANT THEM - until 42 days later - and then EVERYTHING changes! Frustration hardly covers it!

    • Anonymous · 508 days ago

      Hope that this is sarcasm.

  16. Blake · 521 days ago

    Thank God for the Opera browser!

  17. Red · 520 days ago

    I think this new release looks great! As a designer myself who has done some UI work, it's obvious they took some time to study what works. Haven't tested on Windows yet but on the Mac it's beautifully executed. The unobtrusiveness of tabs being ghosted when new one's are open sort of reminds me of earlier version of Opera. I'll stick with FF29 for now.

  18. Never again · 514 days ago

    I have been an evangelist and occasionally donated to Mozilla since the earliest betas. With version 29 installing itself upon mere CHECK (and I do have FF set to alert me about updates without downloading) my highly personalized ecosystem of add-ons and UI was about to be destroyed. Luckily, I haven't restarted thereafter and followed some instructions from the web to remove the downloaded update prior to its installation.

  19. pcshell · 512 days ago

    I went back to Firefox 24.5 ESR. Glad to see so many are sharing the same sentiment with me. Yeah I wonder why they keep changing the user interface.

  20. Scott · 510 days ago

    Shortly after upgrading to FF 29, my browser became highly unstable, crashing several times a day. I've seen similar experiences in a number of places elsewhere, including a friend of mine on the East Coast. Virus-catchers found nothing, turning off extensions only extended the period between crashes. The behavior was unique to FF; using Google Chrome as a browser avoided the crashes entirely.

    Sorry, FF, I'm leaving you uninstalled for now and going to Chrome. (Gritting my teeth as I do so.) I'll check back with you at version 30.

  21. Dell · 495 days ago

    FF29 is terrible compared to previous FF releases, how less customization is sold are more is just nonsense, FF have lost the plot with the one size fits all policy based on Mobile users, they really need to create a new FF for just desktop use. the CTR addon adds back some customizations but not all, you cannot move the navigation buttons. Mine updated from FF28 to FF29 when i let it, but I was not aware of these major changes to make FF29 look like Chrome ( I don't like Chrome or Google due to data tracking ) I was lucky in that i use FEBE to backup FF, and I keep few installers for FF and reinstalled FF28. FF29 will prob be ok for the FB & Twits generation, but for any real use as in work scenarios its terrible, bookmarking is also terrible.
    I have also installed FF ESR 24 and it as it was good except fro the normal FF memory leaks... I have also installed Pale Moon which I have to say I like, its based on FF ESR and also has a migration tool which is excellent, in my case it restored all my F addons (10) and bookmark folders (50+) to my bookmark toolbar where I like them, they also say the wont be going down the Australias route. I have also back my tabs on the bottom of my screen where I like them when connected to large monitors, Another plus for Pale Moon is that the status bar is standard with options so you dont have to use an addon as we have have to do in FF since the 20's I think. So in my option FF29 will be ok for Mobile users but not Desktop users who use browsers for more that just FB andTwits or as a work browsers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog