Category Archives: Firefox

Plugins will be safer in future versions of Firefox

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Firefox 17 released

The latest version of Firefox includes some security improvements designed to help prevent malware infection via out of date versions of Adobe Reader, Adobe Flash and Microsoft Silverlight. Specifically, when Firefox tries to display content using those older plugins, it will prompt the user for confirmation.

Version 17 also includes the usual assortment of security, performance and other bug fixes.

Firefox 16.0 pulled due to vulnerability

Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.

Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.

Update 2012Oct12: No exploits using this vulnerability have yet been seen in the wild, but a proof of concept has been published. The POC demonstrates the vulnerability with a few lines of Javascript code that could be embedded on a web site. Now that this POC has been made public, it’s reasonable to assume that similar code will start appearing on hacked and malicious web sites in the very near future.

Firefox 15 released

Another new version of Firefox was announced today. Version 15 includes some new features, like silent updates (which I will immediately disable), and some fixes for long-standing plugin memory use issues.

The Firefox release notes for version 15 have all the changes.

Interestingly, there doesn’t seem to be a list of previous Firefox versions or the corresponding release notes anywhere on the site. But you can find the release notes for a version by replacing ‘15.0’ with any other version number in this URL:
http://www.mozilla.org/en-US/firefox/15.0/releasenotes/.