Firefox 29 is out – it’s more secure, but does it *look* better, too?


Firefox 29 is out, in accordance with Mozilla’s regular Tuesday-based 42 day update cycle.

There are numerous security fixes combined with some rather in-your-face visual changes.

For those who prefer their security patches quickly but their feature updates more slowly, Firefox 24.5.0 Extended Support Release is also available.

The security patches include a number of critical updates to close potential remote code execution holes.

That’s the sort of bug that could allow a crook to infect your computer merely by getting you to click through to a website containing booby-trapped content, bypassing any dialog boxes to ask if you’re sure you want to download or run a file.

The red entries in the list below are the ones that should convince to to update sooner rather than later, assuming you haven’t chosen to give control over updates to Firefox itself:

You’ll see the phrase use-after-free several times.

That’s where a programmer hands back (frees) a temporary block of memory so the operating system can re-allocate it, after which the contents of that memory can no longer be trusted.

But then the programmer continues to use the data stored in that memory block, even though it could by now have been altered by another part of the program.

Now imagine that attackers can arrange a sequence of operations, for example with some cunningly-crafted JavaScript, causin external (untrusted) data to wind up in a memory block that is used after it is freed.

They may thereby be able to trick your browser into misbehaving in ways that don’t merely cause it to crash, but instead cause it to carry out unauthorised operations.

Usually, that means potential remote code execution, which is why this sort of bug almost always gets a “critical” rating.

But what about the bugs that aren’t critical?

It turns out that there are a couple of other bugs patched in this update that are handy reminders of the sort of vigilance that security-conscious programmers needs to maintain.

MFSA 2014-35, for example, is a privilege escalation bug in the Mozilla Maintenance Service.

Ironically, that’s the background process, on Windows verions of Firefox, that prevents you being hassled by UAC (User Account Control) prompts during an automatic update.

As you can imagine, this sort of service needs system-level privileges, so crooks who have already found a way into your computer (whether through a Firefox bug or not) could use the next Firefox update as a way to boost their powers on your system.

And MFSA 2014-40 is a fault in how Firefox on Android manages its display.

The bug means that once the address bar has scrolled off the top of the screen on your Android device, a devious web page could use JavaScript to stop it reappearing.

In other words, when you scrolled back to check where you were, a crook could show you a fake address bar – perhaps even tricking you into thinking you have an HTTPS connection to a genuine site.

That might not sound like much of a flaw, and indeed Mozilla has only rated it “moderate” in severity.

But we have it as an article of security faith that the address bar is part of the browser than cannot be subverted or re-written by a remote website.

So this sort of loophole could be very valuable as one part of an attacker’s subterfuge.

And the new visuals in Firefox 29, shown below in comparison to the old look in Firefox 24.5.0 ESR?

The jury is out, at least at Naked Security.

One of us, an OS X-using backslider from Firefox, remarked that it “looked way cool” and was enough for him to consider moving back into the Mozilla camp.

And another of us, a long-term Firefox-on-Mac fan, remarked that he might as well jump ship to Google’s Chromium browser, now he’s forced to have those space-sapping curvy tabs just where he thinks they shouldn’t be in an OS X application.

For now, between 29.0 and the ESR flavour, you get to choose your visual style.

Just make sure you’ve got the latest version of either sort, for security’s sake.