Firefox 27 Boosts Security

Mozilla has boosted security features and performance in version 27 of the Firefox open-source browser.

There are 13 security advisories attached to the Firefox 27 release, four of them ranked as being critical. As is common in nearly all Firefox release updates, one of the critical updates is for a group of vulnerabilities that Mozilla labels “Miscellaneous memory safety hazards.” There are links to the browser here, for desktop system and for Android.

Critical memory fix

There is also a critical fix for a use-after-free memory error reported to Mozilla by way of Hewlett-Packard’s Zero Day Initiative. Use-after-free errors enable attackers to potentially leverage legitimate memory space to launch arbitrary code.

In addition, Firefox 27 provides a fix for a download dialogue box window issue that potentially could have enabled a spoofing attack.

“Security researcher Jordi Chancel reported that the dialog for saving downloaded files did not implement a security timeout before button selections were processed,” Mozilla warned in its advisory. “This could be used in concert with spoofing to convince users to select a different option than intended, causing downloaded files to be potentially opened instead of only saved in some circumstances.”

Among the more interesting flaws fixed in Firefox 27 is one rated as having low impact that could enable an attacker to reset a user’s profile.

“Yazan Tommalieh discovered a flaw that once users have viewed the default Firefox start page (about:home), subsequent pages they navigate to in that same tab could use script to activate the buttons that were on the about:home page,” Mozilla’s security advisory states. “In some cases a malicious page could trigger session restore and cause data loss if the current tabs are replaced by a previously stored set.”

Firefox 27 also includes default support for the Transport Layer Security (TLS) 1.2 specification. When Firefox 27 first entered beta in December 2013, Sid Stamm, privacy and security engineer at Mozilla, told eWEEK, “TLS 1.2 is the next logical step in offering sites support for the latest standards with the protections they want.”

Mozilla is a little later than its browser peers in providing full default support for TLS 1.2. Google Chrome 30, Microsoft Internet Explorer 11 and Apple Safari 7 already support the spec.

From a performance perspective, Firefox 27 now supports the SPDY 3.1 protocol. SPDY is a Web protocol effort first begun by Google in 2011 with the goal of providing accelerated transport.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Try our Firefox quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

15 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

16 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

17 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

18 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

21 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

22 hours ago