Skip the navigation

Mozilla patches updater bugs with Firefox 13, plays catch-up on new tabs

Browser finally copies rivals with graphical 'new tab' page that shows most-viewed sites

June 5, 2012 03:52 PM ET

Computerworld Australia - Mozilla today released Firefox 13, an upgrade that patched 13 vulnerabilities, including two critical flaws in the browser's update service.

Firefox also joined its rivals in finally adding a graphical "new tab" page that shows the most-frequent destinations.

Ten of the vulnerabilities patched Tuesday were rated "critical" by the open-source developer, while two were tagged "high" and one as "moderate." Mozilla uses a four-step threat scoring system, with critical the most dire.

Two of the critical bugs were in the updater and update service used by Firefox 12 on Windows, Mozilla acknowledged in an advisory.

The news came just a day after Microsoft confirmed that a flaw in one of its certificate authorities (CAs) had been exploited to generate bogus digital signatures, which were used by the Flame cyber-espionage super-tool to fake Windows Update, Microsoft's default update service.

Flame's makers spoofed Windows Update to infect fully-patched Windows PCs.

Mozilla's description of the two vulnerabilities pointed to "DLL load hijacking" bugs, a category of Windows flaws first disclosed nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit.

Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.

In Firefox's case, the bugs could be used to load malware on the Windows PC -- assuming the hackers had local file system access through other means -- to gain additional rights on the victimized machine.

Mozilla credited James Forshaw, a researcher with U.K.-based Context Information Security, for reporting the updater and update service vulnerabilities.

Three other vulnerabilities were submitted by a Google-employed researcher, while a fourth was reported by Arthur Gerkis, a frequent recipient of bug rewards from Google's Chrome team.

All but the two flaws in Firefox's updater and update service also applied to Firefox ESR (Extended Support Release), the longer-lived edition designed for enterprises that don't want to update workers' machines every six weeks.

The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan.

Mozilla no longer supports Firefox 3.6 with security updates: The company halted patches for that 2010 edition in April, when it also stopped serving updates for users running Windows 2000 and the earliest editions of Windows XP.

Mozilla has been nagging Firefox 3.6 users with pleas to upgrade for months, and recently took to automatically upgrading them to Firefox 12. The move seems to be working. In May, Firefox 3.6's share of all copies of Mozilla's browsers dropped to a record low of 9%. Just 12 months ago, version 3.6 accounted for a third of all Firefox browsers.

As usual, Mozilla also tweaked Firefox with both minor and major changes, including a revamped Home page and a redesigned "new tab" page.

Firefox 13
Firefox 13's 'new tab' page now mimics other browsers by displaying thumbnails of recently-viewed sites.
Reprinted with permission from Computerworld Australia Story copyright 2012 Computerworld New Australia. All rights reserved.
Our Commenting Policies