Mozilla bakes Facebook features into Firefox 17

Patches 29 vulnerabilities, two-thirds rated critical

Mozilla Tuesday released Firefox 17, which debuts technology that lets developers integrate social networks -- for now, Facebook -- with the browser.

The company also patched 29 security vulnerabilities, two-thirds of them marked "critical," Mozilla's highest threat ranking.

The main thrust of Mozilla's trumpeting of Firefox 17, however, was what it called "Social API," an application programming interface (API) that allows developers to bake connections to social media services into the browser.

The first result of the API, Facebook Messenger for Firefox, displays a sidebar that shows Facebook chat sessions and updates, including new comments, without requiring the user to steer to Facebook's website. Additional tools range from message notifications to friend requests, accessible through new icons in the browser's toolbar.

Firefox 17 users can enable Messenger at this Facebook page, and the social networking giant has posted a short FAQ on the integration with Firefox.

Firefox 17 also debuts a new security feature that automatically blocks outdated versions of the most popular Web browser plug-ins -- Adobe's Flash Player and Reader, Microsoft's Silverlight, and Oracle's Java -- from executing content.

Dubbed "click-to-play," the added protection bars content from running in plug-ins Mozilla determines are unsafe or seriously out of date. (The company posts a list here.) Users can override the block, or before doing that, investigate by clicking a new icon that appears on the left edge of the browser's address bar.

Click-to-play is only the latest in a series of steps Mozilla has taken this year to stymie attacks, including blocking outdated Java plug-ins on Macs last spring when the Flashback malware infected several hundred thousand machines, and wrapping up work on silent updates to emulate Google's long practice of removing updates from users' responsibility.

Along with the new additions, Mozilla also subtracted: It pulled the plug on support for OS X Leopard, Apple's 2007 operating system.

The move had been in the works for almost a year, with the final decision coming in August. Firefox 16, which shipped Oct. 9, was the last version able to run on Leopard.

According to Web metrics firm Net applications, only about 9% of all Macs still run Leopard; nearly two-thirds run either its successor, Snow Leopard, or that edition's follow-on, Lion. Most of the rest are powered by 2012's Mountain Lion.

The open-source developer also patched 29 vulnerabilities, 19 of them critical, with nine of the remaining labeled "high" and one pegged "moderate."

Nearly a third were reported by Abhishek Arya, who goes by the nickname "Inferno," of the Chrome security team, Mozilla said in an accompanying advisory. He was also credited with reporting five more vulnerabilities that were "introduced during Firefox development that were fixed before general release."

Another four were submitted by "miaubiz," a long-time contributor to Google's bug-bounty program.

By Net Applications' estimates, Firefox accounted for 20% of the browsers that went online last month. Irish measurement firm StatCounter, however, pegged Firefox's global share for October at a slightly higher 22.3%.

Windows, Mac and Linux editions of Firefox 17 can be downloaded manually from Mozilla's site. Installed copies will be upgraded automatically.

The next version of Firefox is scheduled to ship the week of Jan. 7, 2013, a slight delay from the usual six-week cadence to account for the end-of-year holidays.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityMalware and VulnerabilitiesinternetOraclemozillaFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place