Mozilla released the 25th version of its mobile and desktop Firefox browser yesterday, fixing 10 vulnerabilities, five of them critical.

The United States Computer Emergency Readiness Team (US-CERT) warned yesterday the vulnerabilities could let an attacker execute arbitrary code, bypass access restrictions, obtain sensitive information and cause a denial-of-service (DoS) condition.

According to the Mozilla Security Foundation Advisory, the critical fixes address a few problems, namely a series of use-after-free bugs and memory bugs in the JavaScript engine that can open the system up to attackers and lead to a crash.

While not critical, another bug discovered by security researcher Cody Crews was patched that could have let an attacker append an iFrame into an embedded PDF object. The result could have led to the disclosure of local system files and the bypassing of security restrictions.

According to the company’s bug-tracking database Bugzilla, 565 bugs in total were fixed in Firefox 25.0.

While Mozilla’s Thunderbird mail client (24.1) and Seamonkey (2.22) Internet application suite were also updated yesterday, most of the bugs fixed were only at risk of being exploited in the Firefox browser or Firefox “browser-like contexts.” Since scripting is disabled in Thunderbird and Seamonkey, it makes them less likely to be exploited.

Mozilla’s mobile version got an upgrade yesterday as well, bringing some existing security features from the desktop browser to Android devices.

One of those features, mixed content blocking, introduced in the main Firefox browser back in August should protect users from man-in-the-middle attacks and eavesdroppers on HTTPS pages. The feature reduces the threat of insecure images, audio and JavaScript on HTTPS pages by blocking them by default.

The latest mobile build also supports guest browsing, making it easier for users to lend their device to others without having them have to worry about revealing any sensitive bookmarks or history.

Both guest browsing and mixed content blocking features were introduced in the beta version of the mobile browser back in September but officially went live in the stable version yesterday.

Per usual, both versions of Firefox, for mobile and desktop, along with updated versions of Thunderbird and Seamonkey are available at their respective download pages.

Categories: Mobile Security, Vulnerabilities, Web Security

Comments (5)

  1. John C
    1

    I am glad they fixed some of the problems but I think they created others. My websites picture headers which used to fade smoothly now fade choppy this problem is happening ONLY in fire fox 25 has anyone else noticed this issue

  2. Brenda
    2

    Firefox 25 won’t load YouTube videos, even with confirming updated AdobeFlash Player. Very annoying and taming way to much time to troubleshoot.

  3. Michele
    4

    I’ve never had a problem with Firefox until update 25.0. Now it freezes in Facebook, MyFitnessPal, and anything else that uses javascript. Is there a fix for this? My avoidance tactic is to use my tablet until it is fixed.

  4. James Witney
    5

    Find a version of Firefox that works for you, then stick with it.
    >> Let others do all the troubleshooting <<
    Use Sandboxie, NoScript & AdBlockPlus for security.

Comments are closed.