Logjam SSL/TLS vulnerability is among the 13 security advisories in latest stable release of the open-source Firefox Web browser
There are two new versions of Mozilla’s Web browsers for users to try out today, with a stable Firefox 39 release and a beta of Firefox 40 that provides a preview of features still in active development.
With Firefox 39, Mozilla has integrated its Project Silkeffort, whose goal is to make the browser scrolling and animation experience smoother for Website rendering. So far, Project Silk has only been integrated into the Apple Mac OS X edition of Firefox 39.
“We have achieved stability on OS X, and Project Silk is planned soon on Windows, Linux, and Android,” Chad Weiner, director of product management at Mozilla, told eWEEK. “We wanted to make the experience better for our OS X users ASAP rather than wait for it to be ready for all platforms.”
While Mac OS X users are the first to benefit from Project Silk, OS X is the last operating system to benefit from Firefox’s safe browsing malware detection capability—it is just now being added in Firefox 39 for OS X. The safe browsing malware detection feature warns users when they downloaded files that are detected as malware, according to Weiner.
“Firefox asks Google’s Safe Browsing service if the software is safe by sending it some of the metadata associated with the download, such as a file’s hash and binary size,” he said. “It has been available on Firefox for PC and Linux for some time, and with this release we wanted to extend this protection to Mac files.”
As part of the Firefox 39 release, Mozilla is providing 13 security advisories, four of which are rated as being critical. The critical security advisories include MSFA-2015-66 , which provides a patch for seven different identified vulnerabilities (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739 and CVE-2015-2740).
“These [vulnerabilities] included three uses of uninitialized memory, one poor validation leading to an exploitable crash, one read of unowned memory in zip files, and two buffer overflows,” Mozilla warns in its security advisory. “These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.”
Firefox 39 also provides users with a fix for the Logjam SSL/TLS vulnerability that was first disclosed on May 20.
“The essence of the Logjam vulnerability was that Firefox was willing to accept short, export-grade Diffie-Hellman keys,” Richard Barnes, Firefox security lead at Mozilla, told eWEEK. “Firefox 39 will not accept Diffie-Hellman keys shorter than 1,023 bits, the minimum level secure enough for use in the modern Web.”
Mozilla’s data indicates that this change will affect around 0.04 percent of Transport Layer Security (TLS) transactions, according to Barnes. Some servers may need to be reconfigured or upgraded in order to use sufficiently strong Diffie-Hellman keys.
Looking forward, Firefox 40, which is now in beta, will provide a few new capabilities. At the top of the Firefox 40 features list is support for Windows 10, including tablet mode. Microsoft’s Windows 10 operating system is set for release on July 29.
Also starting with Firefox 40, Mozilla will begin to provide users with a warning for browser add-ons that have not been digitally signed.
“Mozilla verifies and ‘signs’ add-ons that follow a set of guidelines to ensure that users’ information will not be stolen of manipulated,” Mozilla states in a support post.
Are you a Firefox enthusiast? Take our quiz!
Originally published on eWeek.