Mozilla patches updater bugs with Firefox 13, plays catch-up on new tabs
Browser finally copies rivals with graphical 'new tab' page that shows most-viewed sites
Computerworld Australia - Mozilla today released Firefox 13, an upgrade that patched 13 vulnerabilities, including two critical flaws in the browser's update service.
Firefox also joined its rivals in finally adding a graphical "new tab" page that shows the most-frequent destinations.
Ten of the vulnerabilities patched Tuesday were rated "critical" by the open-source developer, while two were tagged "high" and one as "moderate." Mozilla uses a four-step threat scoring system, with critical the most dire.
Two of the critical bugs were in the updater and update service used by Firefox 12 on Windows, Mozilla acknowledged in an advisory.
The news came just a day after Microsoft confirmed that a flaw in one of its certificate authorities (CAs) had been exploited to generate bogus digital signatures, which were used by the Flame cyber-espionage super-tool to fake Windows Update, Microsoft's default update service.
Flame's makers spoofed Windows Update to infect fully-patched Windows PCs.
Mozilla's description of the two vulnerabilities pointed to "DLL load hijacking" bugs, a category of Windows flaws first disclosed nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit.
Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.
In Firefox's case, the bugs could be used to load malware on the Windows PC -- assuming the hackers had local file system access through other means -- to gain additional rights on the victimized machine.
Mozilla credited James Forshaw, a researcher with U.K.-based Context Information Security, for reporting the updater and update service vulnerabilities.
Three other vulnerabilities were submitted by a Google-employed researcher, while a fourth was reported by Arthur Gerkis, a frequent recipient of bug rewards from Google's Chrome team.
All but the two flaws in Firefox's updater and update service also applied to Firefox ESR (Extended Support Release), the longer-lived edition designed for enterprises that don't want to update workers' machines every six weeks.
The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan.
Mozilla no longer supports Firefox 3.6 with security updates: The company halted patches for that 2010 edition in April, when it also stopped serving updates for users running Windows 2000 and the earliest editions of Windows XP.
Mozilla has been nagging Firefox 3.6 users with pleas to upgrade for months, and recently took to automatically upgrading them to Firefox 12. The move seems to be working. In May, Firefox 3.6's share of all copies of Mozilla's browsers dropped to a record low of 9%. Just 12 months ago, version 3.6 accounted for a third of all Firefox browsers.
As usual, Mozilla also tweaked Firefox with both minor and major changes, including a revamped Home page and a redesigned "new tab" page.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Simple Solution, Big Capability Meet growing employee and business demands by connecting up to 1,000 users with powerful collaboration capabilities with a single, integrated platform -- Cisco...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Desktop Apps White Papers | Webcasts