DEVELOPMENT

Firefox 30 Delivers 7 Security Fixes, Other Changes

01:15 Wednesday Jun 11, 2014

            

In contrast to the fanfare associated with Firefox 29 and its new interface, Firefox 30 delivers security fixes and incremental feature updates.

Not all browser releases are full of exciting, new features users will immediately notice. The Mozilla Firefox 30 browser does not include major new features, yet it does provide users with security fixes and some incremental updates.

Released June 10, Firefox 30 improves on the Firefox 29 browser, which debuted April 29 with the biggest user interface update for the open-source browser in years.

On the user interface side, the Firefox 30.0 release notes indicate that the sidebars button in the browser now enables faster access to social, bookmark and history sidebars. Additionally, with Firefox 30.0, Mozilla is now providing users with support for the GStreamer 1.0 framework for multimedia streaming.

Firefox 30.0 includes seven security advisories attached to the open-source browser release.

As is common in nearly every Firefox release, one of the security advisories is identified as fixing "miscellaneous memory safety hazards." In the case of Firefox 30, only two memory hazards, CVE-2014-1533 and CVE-2014-1534, are patched.

Firefox isn't the only Web browser that has to face the challenge of memory-related security vulnerabilities. As part of its June Patch Tuesday update, Microsoft patched the Internet Explorer browser for 54 memory-corruption vulnerabilities.

In addition to the miscellaneous memory safety hazards, three of the Firefox security advisories deal with use-after-free memory vulnerabilities. "Use-after-free" flaws enable an attacker to abuse memory space from properly allocated program space.

Mozilla Foundation Security Advisory (MSFA) 2014-49 identifies CVE-2014-1536, CVE-2014-1537 and CVE-2014-1538 as use-after-free vulnerabilities that were found with Google's Address Sanitizer tool. The Address Sanitizer technology is an open-source tool for detection of memory errors in C and C++ code.
"Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a number of use-after-free and out-of-bounds read issues using the Address Sanitizer tool," Mozilla states in its advisory. "These issues are potentially exploitable, allowing for remote code execution."

The Google Address Sanitizer tool was also used by the BlackBerry security team to find a use-after-free error in Firefox's event listener manager code. Famed security researcher "Nils" also is credited with the discovery of a use-after-free vulnerability that was discovered using Address Sanitizer. Nils first rose to notoriety in 2009 when he was able to successfully exploit Microsoft's Internet Explorer, Apple Safari and Mozilla Firefox in the Pwn2own hacking competition.

There are also two security advisories in Firefox 30 for buffer-overflow issues—one affecting the Web audio component and the other the Gamepad API. The Gamepad API was first introduced in the Firefox 29 release, enabling the browser to use a gamepad control device for gaming.

Finally, Firefox 30.0 provides a fix for a click-jacking flaw identified as CVE-2014-1539 that only affects Mac OS X users. Firefox 30.0 is available for Windows, Linux and Mac OS X systems. Click-jacking is an attack vector in which a malicious object is hidden underneath a legitimate Web button that a user is likely to click.

"Security researcher Jordi Chancel reported a mechanism where the cursor can be rendered invisible after it has been used on an embedded flash object when used outside of the object," Mozilla warned in its advisory . "This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to click-jacking during interactions with HTML content subsequently."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com . Follow him on Twitter @TechJournalist.

 

< Back

  1. stephy509487
    17:46 Friday Nov 21, 2014
    Very Good Site and awesome writing too , and great thanks to the writer Nifty options

Add your comment

We aim to have healthy debate. But we won't publish comments that abuse others

1200 characters left

 

 

LATEST NEWS

 
  

© copyright 2013 Website News. All rights reserved.

 

SECTIONS

ABOUT

SUBSCRIBE

 

Website News is for and about the website design, development, marketing industry. We will endeavor to bring you up-to-date news and information to help you in your work as well as give you useful information and tips for your clients and their businesses.

We are always keen for you to submit any information you find from elsewhere, or about your business, that you feel will be relevant.

 

 

 

 

Contact Us:

For advertising enquiries or to submit a story, please email us at: editor@websitenews.co

 

Login

Website News

Sign-up to Website News and create your universal Woogloo ID

Your details

Your login details

Your address


Is your address not being found?

Company

Company address

Yes No


To register on the Website News website you either need to use your
exisitng Woogloo ID or create a new one (see below).

Sign Up

Why sign up?

  • Get access to Registered User's priviledges, which may include hidden pages, special features and special pricing, if they exist, on this website.
  • Get access to all sites powered by Woogloo V3 without having to enter your details everytime.

Login Error

Forgot your password?

Enter your email address below and click 'Reset Password' Button




What is a Woogloo ID

Logging in...