Firefox 14 contains vulnerability patches, security-related features

Mozilla published 14 security advisories for Firefox 14.0.1

Version 14 of the Mozilla Firefox browser, released Tuesday, offers several new security-related features as well as patches for numerous vulnerabilities.

The release of Firefox 14.0.1 was accompanied by 14 security advisories, five of which were rated as critical by Mozilla.

One of the critical advisories covers a vulnerability in the "javascript: URL" function that could allow attackers to bypass the JavaScript sandbox and execute malicious scripts with elevated privileges.

Another critical flaw patched in Firefox 14 could be exploited to bypass the browser's same-compartment security wrappers (SCSW) -- a security feature that prevents a Web page from executing code outside of its context.

A critical memory corruption issue stemming from the way the "JSDependentString::undepend" function converts dependent strings into fixed strings was also addressed. If left unpatched it could be exploited to crash the browser and possibly execute malicious code on the system.

The other two security advisories marked as critical cover six other memory corruption vulnerabilities located in various components that could also lead to the execution of arbitrary code.

The remaining nine advisories, four rated as high and four as moderate, address vulnerabilities that could facilitate cross-site scripting (XSS), clickjacking and phishing attacks, or could allow attackers to steal OAuth 2.0 access tokens and OpenID credentials, trick users into accepting a rogue SSL certificate and conceal a malicious URL.

In addition to addressing numerous vulnerabilities, Firefox 14 also secures Google Web searches by enabling HTTPS for search queries initiated through the location bar, search box or the right-click menu.

"We automatically make your Google searches secure in Firefox to protect your data from potentially prying eyes, like network administrators when you use public or shared WiFi networks," the Mozilla developers said in a blog post on Tuesday. "Google is currently the only search engine that allows Firefox to make your searches private, but we look forward to supporting additional search engines with this feature in the future."

Firefox 14 also comes with simplified URL bar favicons that make it easier for users to determine the level of connection security supported by different websites.

Non-HTTPS websites will have a grey globe icon displayed in front of their URL, HTTPS websites will have a grey lock icon displayed, while HTTPS websites that use an EV (Extended Validation) certificate will have a green lock icon together the name of the certificate's owner displayed in the URL bar.

Another security-related feature in Firefox 14 is the opt-in activation for plug-ins. Also known as "click to play," this feature requires user approval for the playback of plug-in based content like Flash or Java when it is enabled.

The feature is still a work in progress, so for now it can only be enabled by manually setting a flag in "about:config" -- it can't be turned on from the browser's "Options" dialog.

The non-security related features in Firefox 14 include full screen support for Mac OS X Lion, Awesome Bar auto-complete for typed URLs and support for Pointer Lock API, an application programming interface that will give Web apps and games better control over the mouse.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place