Category Archives: Firefox

Firefox 53.0: security updates and performance improvements

A major change to the internal workings of Firefox should result in faster web page rendering on most Windows computers. Unfortunately, that doesn’t include Windows XP: starting with version 53.0, Firefox no longer supports XP or Vista.

Firefox 53.0 also fixes at least twenty-nine security issues, so it’s a good idea to update it as soon as possible. Firefox can be rather sluggish about updating itself, but you can usually trigger an update by clicking the menu icon at the top right (three horizontal lines), then the little question mark icon, then About Firefox.

Also in the new release are some improvements to Firefox’s user interface, including two new ‘compact’ themes that free up some screen space. Site permission prompts are now somewhat easier to understand and more difficult to miss. Tab titles that are too long to fit in a tab now fade out at the end instead of being cut off and replaced by ellipses, which makes more of the truncated title visible.

Firefox 52.0.2

There’s another new Firefox release: 52.0.2. The new version fixes a few minor bugs, none related to security.

Firefox should update itself automatically to the new version, but there’s no particular urgency about this update, unless you’re affected by one of the bugs it fixes. See the release notes for details.

As usual, there was no announcement from Mozilla about Firefox 52.0.2. I learned about this one when Firefox offered to update itself.

Firefox 52.0.1

A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.

Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).

Firefox 52 – security fixes, WebAssembly support

At this point it seems clear that Mozilla has instructed its content writers to never mention version numbers in Firefox release announcements. The reason remains a mystery. Take yesterday’s announcement, for example. It begins “Today’s release of Firefox” – which makes it sound like Firefox is a new product.

Anyway… the mystery Firefox release yesterday was in fact version 52, which fixes at least twenty-eight security vulnerabilities. The new version also adds support for WebAssembly, which can dramatically improve the performance of web-based applications. Support for those annoying WiFi ‘captive portal’ hotspot login pages is improved in Firefox 52, and there are further improvements to the warnings you’ll see when you’re presented with a login form on an unencrypted connection.

Firefox 52 also removes almost all remaining support for the NPAPI plugin technology, with the lone exception being Flash, which means Silverlight, Java, Acrobat and other plugins that depend on NPAPI will no longer work. Support for the NPAPI version of Flash will apparently be removed in the next major Firefox release.

Firefox 51.0.1

There were a couple of problems with Firefox 51 that prompted Mozilla to push out another new version yesterday. Firefox 51.0.1 resolves the two problems, one of which was related to the new multiprocess features.

Firefox itself seems to take a few days to notice new versions. Click the ‘hamburger’ menu button at the top right, then click the question mark icon, then click ‘About Firefox’ to see the version you’re running. In my experience, Firefox will usually say ‘Firefox is up to date’ until a couple of days after a new release becomes available. This is potentially confusing, but Mozilla doesn’t seem to understand that.

If you don’t want to wait for Firefox to notice the new version, you’ll have to download it directly from Mozilla.

Firefox 51 fixes 24 security issues

The latest version of Firefox addresses at least twenty-four security vulnerabilities and changes the way non-encrypted sites appear in the address bar.

As usual, there’s nothing like a proper announcement for Firefox 51. What we get from Mozilla instead is a blog post that discusses some new features in Firefox, and mentions the new version number almost accidentally in the third paragraph. Once again, CERT does a better job of announcing the new version than Mozilla.

Starting with version 51, Firefox will flag sites that are not secured with HTTPS if they prompt for user passwords. Secure sites will show a green lock at the left end of the address bar as before, but sites that are not secure will show a grey lock with a red line through it. Previously, non-encrypted sites showed no lock icon at all. The idea is to draw the user’s attention to the fact that they are browsing without the security of encryption, which is risky when sensitive information (passwords, credit card numbers) is entered by the user.

New, critical Firefox zero-day

If you’re a Firefox user, you might want to think about using a different browser for the next day or so. Researchers have discovered a critical vulnerability that has yet to be patched. Mozilla is working on a fix but there’s no word on when it will be available.

Ars Technica has more.

Update 2016Nov30: Mozilla just released Firefox 50.0.2, which includes a fix for this vulnerability. Mozilla posted about this as well.

Firefox 50.0.1 fixes one critical security issue

There’s a critical security vulnerability in Firefox 49 and 50, and Mozilla just released Firefox 50.0.1 to address it. Which is great, except for one thing: the total lack of anything resembling an announcement.

Yes, Firefox can be configured to update itself or alert you when an update is available, but that setting can also be disabled completely. Worse, it can take days for Firefox’s internal update checker to detect that there’s a new version.

I discovered the new version by way of a post on the US-CERT site.

SHA-1 deprecation coming soon

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.