July 29, 2014

Mozilla Fixes Critical Security Vulnerabilities and Adds Silent Updating to Firefox

(LiveHacking.Com) – The Mozilla Foundation has released a new version of its popular web browser. Firefox 12 brings some new features including silent updates and fixes several critical security vulnerabilities. The biggest change for Windows Vista and Windows 7 users is the addition of silent updates which means that the UAC (User Account Control) pop-up won’t appear when Firefox upgrades from one release to another. To by-pass the UAC, which is first appeared in Windows Vista, Mozilla have added a standalone update service to apply the updates in the background. During the installation of Firefox 12 the user will be asked to give their explicit permission to install the update service, but they will not be prompted again for any subsequent releases.

Google’s Chrome also offers silent updates but rather than use a special Windows service, Chrome is installed in the user’s folder within Windows which doesn’t require UAC permission. However the downside to Google’s approach is that Chrome needs to be installed independently for every user on a PC which can be an administrative headache for those who have multiple user accounts for example on a shared family PC.

The functionality to relaunch and complete the update entirely in the background is scheduled for Firefox 13 or Firefox 14 this summer.

Mozilla 12 also fixes 7 Critical level security vulnerabilities, one of which only applies to Firefox Mobile.

  • MFSA 2012-31 Off-by-one error in OpenType Sanitizer
  • MFSA 2012-30 Crash with WebGL content using textImage2D
  • MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
  • MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
  • MFSA 2012-22 use-after-free in IDBKeyRange
  • MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9 (Firefox Mobile only)
  • MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
Along with these seven Critical bugs, Mozilla also fixed four High level security vulnerabilities and three Moderate ones. In total three cross-site scripting (XSS) vulnerabilities were fixed, one of which only applied Windows Vista and Windows 7 with hardware acceleration disabled.
The FreeType vulnerabilities in Firefox mobile were discovered by the Google Security Team using the Address Sanitizer tool. Some of the bugs cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.
More details about the changes can be found in the release notes. Firefox 12 is available for Windows, Mac OS X and Linux from the Firefox home page.
Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks