Firefox 52 Expands Non-Secure HTTP Warnings, Enables SHA-1 Deprecation

The latest version of Firefox expands non-secure HTTP warnings, enables SHA-1 deprecation by default, and removes support for NPAPI.

Mozilla fixed 28 vulnerabilities, including some that could result in a crash and the bypass of ASLR and DEP, when it released Firefox 52 on Tuesday.

Seven of the vulnerabilities are considered critical, according to an advisory posted by the Mozilla Foundation.

One of those vulnerabilities would stem from a JIT spray attack carried out against the asm.js JavaScript subset and combined with a heap spray. By chaining together the sprays, an attacker could have bypassed the browser’s Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections. ASLR and DEP are preventative features that protect memory and helps thwart buffer-overflow attacks. If exploited, the attack could have led to additional memory corruption attacks, Mozilla claims.

Several of the remaining critical bugs could have resulted in a crash of the browser, either through a logic error or a series of use-after-free vulnerabilities.

Ivan Fratric, a researcher on Google’s Project Zero team, uncovered one of the use-after-free bugs after “manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it.”

A handful of memory safety bugs dug up by Mozilla developers and community members were also fixed in Firefox 52. According to the advisory the bugs showed evidence of memory corruption and “with enough effort” could be exploited to run arbitrary code.

Additional, low-tier bugs fixed in the update fix a potential denial of service attack vector, the potential for information leakage, and spoofing attacks.

The latest iteration of the browser expands in-context user warnings for non-secure HTTP pages with logins. Users will now be confronted with a “This connection is not secure. Logins entered here could be compromised.” message when they try to enter a username and password field on a non-HTTPS page.

Firefox began warning users in January, in Firefox 51, that HTTP websites collecting passwords may not be secure. Firefox, taking a tip from Google’s Chrome, began displaying such pages with a grey lock icon with a red strike-through in the address bar.

Firefox 52 also incorporates Mozilla’s Strict Secure Cookies specification. The rule forbids insecure HTTP sites from setting cookies with the “secure” attribute and from setting a cookie with the same name as an existing secure cookie from the same base domain. Previously insecure origins could add secure cookies, delete them or evict them. Google added support for the specification in Chrome 52 last July.

While Mozilla has been gradually deprecating the SHA-1 algorithm over the past few months, the deprecation policy is enabled by default in Firefox 52.

The cryptographic hash function has long been viewed as insecure but researchers from Google and Centrum Wiskunde and Informatica (CWI) delivered what may end up being the final nail in the coffin for SHA-1, the first practical collision attack, last month.

Going forward users who encounter SHA-1 certificates that chain up to a root cert in Mozilla’s CA program will be displayed an “Untrusted Connection” error. For the time being users can override those warnings.

The latest version of the browser also finally removes support for NPAPI, the Netscape Plugin API.

“Silverlight, Java, Acrobat and the like are no longer supported,” release notes for the browser read.

According to Martin Thomson, an engineer at Mozilla, the company opted not to enable TLS 1.3 by default in Firefox 52 as originally planned.  According to Thomson, Firefox’s testing showed a higher anticipated rate of failure due to middleboxes.

“I can’t say for certain, but it looks like Firefox 53 will use TLS 1.3,” Thomson told Threatpost Thursday.

The technology, widely regarded as archaic in today’s web landscape, was initially designed to help extend the functionality of browsers. Mozilla announced in October 2015 that it was looking to do away with NPAPI plugins by the end of 2016 but pushed back the timeline last year to 2017.

Mozilla plans to support Flash in Firefox a bit longer, “until early 2018, for those users who need more time for their transition,” Benjamin Smedberg, the manager for Firefox’s quality engineering team, said last July.

This story was updated on March 9 to clarify whether or not Firefox 52 enables TLS 1.3 by default. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.