Mozilla has released Firefox 19, the latest version of its flagship browser, which includes not only fixes for a number of serious security vulnerabilities but also a built-in PDF viewer. The native PDF viewer in Firefox could help protect against some of the ongoing attacks that use vulnerabilities in Adobe Reader and other PDF readers as infection vectors.
Attackers have been preying on Reader and Acrobat vulnerabilities for several years now, although the sandbox that Adobe added to Reader X and later versions has helped protect users against many exploits. Just last week, though, the first confirmed Reader sandbox escape exploit surfaced. Adobe patched that vulnerability on Tuesday.
Mozilla officials said the inclusion of the built-in PDF viewer should make life a little easier for Firefox users when they encounter a PDF on a site.
“Firefox for Windows, Mac and Linux introduces a built-in browser PDF viewer that allows you to read PDFs directly within the browser, making reading PDFs easier because you don’t have to download the content or read it in a plugin like Reader. For example, you can use the PDF viewer to check out a menu from your favorite restaurant, view and print concert tickets or read reports without having to interrupt your browsing experience with extra clicks or downloads,” Mozilla said.
In addition to the PDF viewer, Mozilla also fixed several serious security bugs in th browser, including a number of use-after-free flaws and some memory corruption vulnerabilities. But the most serious of the security issues fixed in Firefox 19 is a problem with phishing on HTTPS connections. The bug, discovered by Michal Zalewski of Google, is the result of the way that some proxies display 407 error messages.”
Google security researcher Michal Zalewski reported an issue where the browser displayed the content of a proxy’s 407 response if a user canceled the proxy’s authentication prompt. In this circumstance, the addressbar will continue to show the requested site’s address, including HTTPS addresses that appear to be secure. This spoofing of addresses can be used for phishing attacks by fooling users into entering credentials, for example,” the Mozilla advisory said.
