boot13On October 15th, Mozilla slipped another Firefox version into production. Firefox 41.0.2 was released to address a single security issue, CVE-2015-7184. The bug is described in a post on the Mozilla security advisories site. The release notes for Firefox 41.0.2 don’t provide any additional detail. There was no new version announcement.
Category Archives: Firefox
Firefox 41.0.1 released
The latest Firefox fixes a few bugs that caused crashes and hangs in relation to Flash, bookmarks, and Facebook. There are no security-related changes in this release.
The version 41.0.1 release notes provide additional detail.
It looks like Mozilla finally decided to stop putting all previous release notes for the associated major version on every release notes page. Instead, they’re adding a link to the major version’s release notes at the top of the What’s New list. Unfortunately, they managed to mess that up with this release, because the Reference: Release notes for Firefox 41.0 link actually points to the notes for Firefox 40.0. Here’s a link to the Firefox 41 notes.
Firefox 41 now available
The usual lack of a coherent version announcement accompanied yesterday’s release of Firefox 41. A post on the Mozilla blog refers vaguely to the ‘latest Firefox’, and provides a brief overview of changes to Firefox accounts and synchronization in the new version.
The release notes for Firefox 41 provide more details on the changes, although nothing listed there is of much interest.
Firefox 41 does include at least nineteen security fixes, as outlined on the Firefox Security Advisories page.
Recommendation: update Firefox as soon as possible.
Security roundup for August 2015
Last month in security and privacy news…
A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.
Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.
It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.
Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?
Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.
Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.
In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.
And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.
Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.
Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.
And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.
Firefox 40.0.3 released
There’s another new version of Firefox. Version 40.0.3 was released yesterday, with the usual total lack of a proper announcement. The release notes make it clear that this is a minor bug fix release, although at least two security vulnerabilities were also fixed.
Firefox 40.0.2 released
Version 40.0.1 appeared briefly on the Firefox download page yesterday, but it was removed almost immediately. Then 40.0.2 appeared, and it seems to be staying put. The release notes reveal that the new version fixes a few minor bugs, but none of those bugs seem to be related to security. There was, as usual, no proper announcement for this version.
Firefox 40 improves add-on security
The newest Firefox is version 40, and as usual there was no proper announcement. There’s a post on the Mozilla blog that gets into the details of version 40’s security improvements, but it never mentions the version. The release notes provide additional details. Here are some of the more notable changes:
- Improvements to Windows 10 support, including workarounds for the way Microsoft messes up default browser settings
- Add-on certification: non-certified add-ons will be disabled by default
- Improvements to visual style: for example, the ‘close’ button on tabs is now larger
- Expanded malware protection, which warns users about to visit sites that are flagged by Google’s Safe Browsing Service
- Smoother animation and scrolling for Windows
- Improvements to JPEG image handling
- At least fourteen security fixes
Critical vulnerability in Firefox’s PDF viewer
Firefox has had its own internal PDF viewer for a while now, and it’s enabled by default. When you click on a PDF file link in Firefox, it will do one of the following: a) open with Firefox’s internal viewer; b) open with a PDF viewer plugin such as Adobe’s Reader plugin; or c) download and open with an external viewer. Unfortunately, PDF files can also be embedded on web pages, in which case there’s no need to click on anything to view them; merely visiting a web site with an embedded PDF will show the file’s contents. Worse still, some advertising platforms serve ads in the form of PDF files.
Now comes news that a newly-discovered vulnerability in Firefox’s internal PDF viewer is being actively exploited on at least one advertising network, and that malware-containing PDF ads were recently observed on a Russian news site.
Mozilla confirmed the bug and quickly released Firefox 39.0.3 to address it. All users are strongly encouraged to update Firefox as soon as possible.
But there’s more bad news. There’s no way to know whether this vulnerability has been exploited elsewhere on the web. There’s no reason to assume that only one Russian news site was affected, or that infected ads haven’t already appeared on other ad networks and web sites. If you use Firefox with the internal PDF viewer enabled, there’s a chance your computer ran a malicious script at some point. If you run a script blocker like Noscript, and you haven’t altered its default behaviour, you were probably protected.
The only known instance of a malicious script that exploits this vulnerability looks for configuration files related to Subversion, Pidgin, Filezilla, and other FTP applications on Windows systems. If you have any passwords stored in these configuration files, you should consider changing those passwords.
You might also want to consider disabling Firefox’s built-in PDF viewer. To do that, enter ‘about:config’ in the address bar. You’ll see a warning; confirm that you want to proceed by clicking the “I’ll be careful” button. In the Search box, enter ‘pdfjs.disabled’. One setting should appear in the list below. If the setting is currently ‘false’, double-click it to change it to ‘true’. This will prevent embedded PDFs from being shown on web pages.
Mozilla’s plans to make Firefox better
For years, Firefox has been the go-to browser for tech-savvy users, who mainly want to avoid using Internet Explorer. More recently, Firefox has been losing users to Chrome, albeit slowly. Fast-forward to today, and it’s increasingly common to hear people complain about Firefox’s bloat, and its performance issues.
I still use Firefox, but I’d switch to Chrome in a heartbeat if that browser had a bookmark sidebar. And I’m not the only one: the comments in this Chrome Help Forum thread clearly show users’ frustration with Google’s foot-dragging.
Apparently Mozilla can see the writing on the wall. A new effort is underway to improve Firefox’s quality. Part of this will involve identifying and removing features that are incomplete or ineffective, which should help to reduce bloat and improve performance. It’s way too soon to know if this will be enough for Firefox to hold on to notoriously fickle browser users, but at least Firefox may now have a chance.
Meanwhile, Microsoft’s new web browser (Edge) is going to complicate things if it really is as fast as claimed.
Flash 18.0.0.209 fixes latest vulnerabilities
Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).
According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.”
If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.
Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.