Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks.
The modification to the way that Firefox 26 treats plugins is a significant security benefit for users, especially those who may not be aware of the security issues that plugins can cause. Attackers will use vulnerabilities in plugins such as Java, Flash or Silverlight to compromise users who visit a site that has content that is automatically rendered by those extensions. Mozilla began the process of changing the way that Firefox treats plugins earlier this year, but this is the first time that the change has shown up in the final version of the browser.
“Even though many users are not even aware of plugins, they are a significant source of hangs, crashes, and security incidents. By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly,” Mozilla’s Benjamin Smedberg said earlier this fall about the upcoming change to Firefox’s handling of plugins.
Java has been a particular favorite of attackers in recent years, thanks to its long tail of security issues and ubiquity on the Web. Making all Java plugins click-to-play means that users will now have to explicitly choose to play a plugin anytime they encounter one. Other browsers, such as Google Chrome, give users the option of enabling click-to-play, as well.
In addition to the change to plugin behavior, Firefox 26 also has patches for a number of vulnerabilities, including five critical ones. A major fix in the new browser is Mozilla actively revoking trust in an intermediate certificate issued by the Agence Nationale de la Sécurité des Systèmes d’Information in France. The certificate was used to issue certificates for several of Google’s domains by mistake. Google researchers detected the issue and revoked trust for the certificate, as well, and notified other browser vendors. Mozilla officials said they don’t believe that the mistake put any users in danger, outside of the certificate authority’s network.
“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to the subordinate CA’s internal network,” Kathleen Wilson of Mozilla said.
The other security fixes in Firefox 26 include:
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)