Sean Michael Kerner welcomes Firefox 27, which fixes some holes and catches up on security tech such as TLS
There are 13 security advisories attached to the Firefox 27 release, four of them ranked as being critical. As is common in nearly all Firefox release updates, one of the critical updates is for a group of vulnerabilities that Mozilla labels “Miscellaneous memory safety hazards.” There are links to the browser here, for desktop system and for Android.
Critical memory fix
There is also a critical fix for a use-after-free memory error reported to Mozilla by way of Hewlett-Packard’s Zero Day Initiative. Use-after-free errors enable attackers to potentially leverage legitimate memory space to launch arbitrary code.
In addition, Firefox 27 provides a fix for a download dialogue box window issue that potentially could have enabled a spoofing attack.
“Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed,” Mozilla warned in its advisory. “This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files to be potentially opened instead of only saved in some circumstances.”
Among the more interesting flaws fixed in Firefox 27 is one rated as having low impact that could enable an attacker to reset a user’s profile.
“Yazan Tommalieh discovered a flaw that once users have viewed the default Firefox start page (about:home), subsequent pages they navigate to in that same tab could use script to activate the buttons that were on the about:home page,” Mozilla’s security advisory states. “In some cases a malicious page could trigger session restore and cause data loss if the current tabs are replaced by a previously stored set.”
Firefox 27 also includes default support for the Transport Layer Security (TLS) 1.2 specification. When Firefox 27 first entered beta in December 2013, Sid Stamm, privacy and security engineer at Mozilla, told eWEEK, “TLS 1.2 is the next logical step in offering sites support for the latest standards with the protections they want.”
Mozilla is a little later than its browser peers in providing full default support for TLS 1.2. Google Chrome 30, Microsoft Internet Explorer 11 and Apple Safari 7 already support the spec.
From a performance perspective, Firefox 27 now supports the SPDY 3.1 protocol. SPDY is a Web protocol effort first begun by Google in 2011 with the goal of providing accelerated transport.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist
Originally published on eWeek.