Mozilla patches updater bugs with Firefox 13, plays catch-up on new tabs
Browser finally copies rivals with graphical 'new tab' page that shows most-viewed sites
Computerworld Australia - Mozilla today released Firefox 13, an upgrade that patched 13 vulnerabilities, including two critical flaws in the browser's update service.
Firefox also joined its rivals in finally adding a graphical "new tab" page that shows the most-frequent destinations.
Ten of the vulnerabilities patched Tuesday were rated "critical" by the open-source developer, while two were tagged "high" and one as "moderate." Mozilla uses a four-step threat scoring system, with critical the most dire.
Two of the critical bugs were in the updater and update service used by Firefox 12 on Windows, Mozilla acknowledged in an advisory.
The news came just a day after Microsoft confirmed that a flaw in one of its certificate authorities (CAs) had been exploited to generate bogus digital signatures, which were used by the Flame cyber-espionage super-tool to fake Windows Update, Microsoft's default update service.
Flame's makers spoofed Windows Update to infect fully-patched Windows PCs.
Mozilla's description of the two vulnerabilities pointed to "DLL load hijacking" bugs, a category of Windows flaws first disclosed nearly two years ago by HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit.
Because many Windows applications don't call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.
In Firefox's case, the bugs could be used to load malware on the Windows PC -- assuming the hackers had local file system access through other means -- to gain additional rights on the victimized machine.
Mozilla credited James Forshaw, a researcher with U.K.-based Context Information Security, for reporting the updater and update service vulnerabilities.
Three other vulnerabilities were submitted by a Google-employed researcher, while a fourth was reported by Arthur Gerkis, a frequent recipient of bug rewards from Google's Chrome team.
All but the two flaws in Firefox's updater and update service also applied to Firefox ESR (Extended Support Release), the longer-lived edition designed for enterprises that don't want to update workers' machines every six weeks.
The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan.
Mozilla no longer supports Firefox 3.6 with security updates: The company halted patches for that 2010 edition in April, when it also stopped serving updates for users running Windows 2000 and the earliest editions of Windows XP.
Mozilla has been nagging Firefox 3.6 users with pleas to upgrade for months, and recently took to automatically upgrading them to Firefox 12. The move seems to be working. In May, Firefox 3.6's share of all copies of Mozilla's browsers dropped to a record low of 9%. Just 12 months ago, version 3.6 accounted for a third of all Firefox browsers.
As usual, Mozilla also tweaked Firefox with both minor and major changes, including a revamped Home page and a redesigned "new tab" page.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Desktop Apps White Papers | Webcasts