Firefox sneaks out an “inbetweener” update, with security improvements rather than fixes

Here’s a quick note to remind all Firefox users that Mozilla just snuck out a point release.

Usually, if everything goes according to plan, Firefox updates appear every six weeks.

The last major update delivered version 32.0 on Mozilla’s most recent Fortytwosday (2014-09-03).

But if needs must, Mozilla delivers in-between updates, too.

That’s what has happened here, bumping Firefox from version 32.0 to 32.0.1.

→ We’ve dubbed them Fortytwosdays because: they’re always on Tuesdays, like Microsoft’s and Adobe’s updates; six weeks is 42 days; and 42 days has a certain popular connotation.

Three fixes are listed, none of them labelled as security related:

Fixed. Stability issues for computers with multiple graphics cards

Fixed. Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites

Fixed. WebRTC: setRemoteDescription() silently fails if no success callback is specified

Browser stability

Stability issues always sound worrying when you’re talking about a browser.

There’s a lot at stake when your browser crashes, especially if the crash is predictable and can be triggered by content sent in from outside.

If a crook can crash your browser at will, that’s a denial of service (DoS) vulnerability.

A DoS won’t let crooks hack into your network, but will give them a smidgeon of malevolent control that they shouldn’t have.

If a crook can not only crash your browser but grab control of the browser process at the same time, that’s a remote code execution (RCE) exploit.

RCEs are one of the most common tricks used by cybercriminals to sneak malware onto your computer.

There’s no suggestion that the instability problems that are fixed in Firefox 32.0.1 could be exploited for criminal gain, but anything that even whiffs of a crash should be enough to persuade you to update right away.

SSL connection status

The second bug listed relates to the incorrect presentation of the status of an SSL connection.

This is also the sort of mistake you don’t want to see in a browser.

In this case, fortunately, the bug seems to cause more of a “fail closed” than a “fail open” situation: Firefox may wrongly warn you that a site is less secure than it really is, not the other way around.

When you visit a well-configured HTTPS site, Firefox should give you a clean and consistent way to verify your security:

Clicking on the green site identifier drills down to give you extra information about the HTTPS certificate supplied by the site.

But if a web page is inconsistent about HTTPS security and contains a mixture of HTTPS and HTTP items, Mozilla should give you a warning:

A web page that mixes insecure and secure content is not necessarily putting your personally identifiable information (PII) at risk, as long as your PII only travels in the secure parts of the web traffic.

The thing is, in mixed-content web pages, how can you be sure which data travels with encryption, and which without?

By default, Firefox simply omits any unencrypted sub-components (e.g. images) embedded in an HTTPS page, but it’s still better to avoid mixed content altogether.

So this bug fix in Firefox is not critical, but it is highly desirable.

It makes it more likely that a well-informed user will reach the correct conclusion about the security or otherwise of any web page.

And that’s about it for Firefox 32.0.1.