Firefox 42 ... answer to the ultimate question of life, security bugs and fully private browsing?

SSL/TLS library flaws found, anti-analytics missiles deployed


Mozilla has released Firefox 42 and Firefox ESR 38 38.4, which include fixes for worrying security vulnerabilities in the web browser.

The November 3 update squashes at least three bugs that can be potentially exploited to achieve remote code execution.

Two Mozilla engineers, Tyson Smith and David Keeler, uncovered two flaws (CVE-2015-7181 and CVE-2015-7182) in NSS, a toolkit used by Firefox to encrypt web traffic over SSL/TLS.

By exploiting "a use-after-poison and buffer overflow in the ASN.1 decoder," a malicious HTTPS website can potentially inject arbitrary evil code into the connecting browser and execute it, it appears. That seems a particularly neat way to install malware on PCs.

These programming blunders are fixed in NSS versions 3.19.2.1, 3.19.4, and 3.20.1, which are used in Firefox 42 and Firefox ESR 38 38.4.

Other applications that use the open-source toolkit for encrypting internet traffic must be rebuilt with a non-vulnerable version of the libraries, and pushed out to people to install.

Meanwhile, Google security engineer Ryan Sleevi found an integer overflow bug (CVE-2015-7183) in NSPR, which is a component of NSS. The code can be exploited to potentially execute arbitrary malicious code in the browser.

Mozilla has also squished three possible remote-code execution bugs (CVE-2015-7198, CVE-2015-7199 and CVE-2015-7200) in the ANGLE graphics library's handling of SVG files. The programming cockups were reported by security researcher Ronald Crane. "These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them," Team Mozilla notes.

A set of scary looking flaws (CVE-2015-4513 and CVE-2015-4514) deep within the browser engine have also been fixed. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Moz admitted.

The bug-squishing round also includes six fixes for vulnerabilities that could allow sensitive information to be collected without permission, and nine other security issues rated as "moderate" or "low" risks.

As well as these patches, Firefox 42 has a handful of new features such as "tracking protection" in private-browsing mode that stops websites from identifying and tracking you with analytics software as you surf across the web.

"When you browse the web, you can unknowingly share information about yourself with third parties that are separate from the site you're actually visiting, even in Private Browsing mode on any browser," wrote Firefox product vice president Nick Nguyen on Tuesday.

"Private Browsing with Tracking Protection in Firefox for Windows, Mac, Android, and Linux actively blocks content like ads, analytics trackers, and social share buttons that may record your behavior without your knowledge across sites."

Nguyen claims Chrome, Safari, Microsoft Edge and Internet Explorer allow websites to follow users as they browse from site to site, even in incognito mode. This is something that Firefox no longer allows – if tracking protection is enabled, of course.

The WebRTC and Login Manager components have also been updated and the browser tab view now includes an indicator icon and mute option for pages that automatically play audio. ®

Similar topics

Narrower topics


Other stories you might like

  • ESA boss gives update on stricken Sentinel-1B imaging satellite: All is not lost yet

    Still borked, 1C and 1D are waiting in the wings

    ESA Director General Josef Aschbacher has addressed the issue of the space agency's borked Copernicus Sentinel-1B spacecraft in his first annual press conference.

    The last useful bit of data from the Earth observation satellite came last year, and as of yesterday attempts to revive the equipment to normal working order have come to naught.

    It's an interesting anomaly: the spacecraft remains under control and, according to Aschbacher, "the thermal control system is properly working and the regular orbit control manoeuvres are routinely performed." However, attempts to reactivate the power unit that's holding back the transmission of image data have proven unsuccessful.

    Continue reading
  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading

Biting the hand that feeds IT © 1998–2022