Tuesday, June 05, 2012

Mozzila Firefox 13 Released With Critical Security Updates


Firefox 13 was sent to the release channel today by Mozilla.  Included in the update are five (5) critical, two (2) high, and one (1) moderate security update.  Of greatest concern is MFSA 2012-35, introduced with the first step toward silent updates included in the Firefox 12 update:

"Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla's updater to load a local DLL file in a privileged context. The updater can be called by the Updater Service or independently on systems that do not use the service. The second of these issues allows for the updater service to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. Both of these issues require local file system access to be exploitable."


Security Updates Fixed in Firefox 13

  • MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
  • MFSA 2012-39 NSS parsing errors with zero length items
  • MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
  • MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
  • MFSA 2012-36 Content Security Policy inline-script bypass
  • MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
  • MFSA 2012-34 Miscellaneous memory safety hazards

What's New

An interesting new feature is the change when opening a new tab.  Where it was previously a blank space, the new tab now has a feature like Internet Explorer 9 and the other major browsers.  Where IE9, for example, includes links to "Your most popular sites", Firefox 13 now displays tab views and links to "most visited pages".

The Release Notes include new and fixed features in version 13.  The numerous Bug Fixes are in the link available in References.
  • NEW -- When opening a new tab, users are now presented with their most visited pages
  • NEW -- General performance improvements through incremental JavaScript garbage collection
  • NEW -- The default home page now has quicker access to bookmarks, history, settings, and more
  • CHANGED -- SPDY protocol now enabled by default for faster browsing on supported sites
  • CHANGED -- Restored background tabs are not loaded by default for faster startup
  • CHANGED -- Smooth scrolling is now enabled by default

      Known Issues

      • If you try to start Firefox using a locked profile, it will crash (see 573369)
      • For some users, scrolling in the main GMail window will be slower than usual (see 579260)
      • Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)
      • OS X: nsCocoaWindow::ConstrainPosition uses wrong screen in multi-display setup (see 752149)
      • CSS :hover regression when an element's class name is set by Javascript (see 758885)

      Update

      The upgrade to Firefox 13 will be offered through the browser update mechanism after any impacts related to the Microsoft Security Updates are analyzed.  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

      If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      No comments: