Firefox 34 Fixes Vulnerabilities

Wednesday, December 3, 2014 @ 01:12 PM gHale

Mozilla released Firefox 34 and disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

“SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information,” Mozilla said.

RELATED STORIES
Firefox 33 Released, Fixes Bugs
Android Browser UXSS Vulnerability
Apple Updates Yosemite, iOS
Chrome 38 Fixes 159 Security Bugs

Google also intends to disable SSL 3.0 in Chrome with the release of version 40 of the Web browser. In the meantime, the search engine company has disabled fallback to SSL 3.0 to protect users.

With the release of Firefox 34, Mozilla fixed eight vulnerabilities, three of which are “critical.” That means an attacker could use a vulnerability and execute arbitrary code without user interaction beyond normal browsing.

One of the critical flaws, discovered by Abhishek Arya (Inferno) of the Google Chrome Security Team, is a buffer overflow during the parsing of media content (CVE-2014-1593).

Berend-Jan Wever has identified a use-after-free bug caused by triggering the creation of a second root element while parsing HTML written to a document created with the “document.open()” function (CVE-2014-1592).

Various memory safety bugs reported by several researchers (CVE-2014-1588, CVE-2014-1587) also ended up labeled critical.

Another issue ended up reported to Mozilla by security researcher Kent Howard, who found that the CoreGraphics framework in Apple’s OS X 10.10 (Yosemite) creates log files containing a record of all data, including usernames and passwords, entered into Mozilla programs during their operation (CVE-2014-1595).

“This issue has been addressed in Mozilla products by explicitly turning off the framework’s logging of input events,” Mozilla said in an advisory.

Potentially exploitable behavior (CVE-2014-1594) ended up reported by Byoungyoung Lee, Chengyu Song, and Taesoo Kim from the Georgia Tech Information Security Center (GTISC).

Security researcher Muneaki Nishimura found another high-impact problem. The bug (CVE-2014-1591) affects Content Security Policy (CSP) and it could end up used by a malicious website to obtain sensitive information such as usernames and single-sign-on tokens.

The medium-impact vulnerabilities fixed with the release of Firefox 34 are “XMLHttpRequest crashes with some input streams,” and “XBL bindings accessible via improper CSS declarations.”

The company dropped Google as its default search engine. In the United States, Yahoo replaced Google, while in Belarusian, Kazakhstan, and Russia the new default search engine is Yandex.



Leave a Reply

You must be logged in to post a comment.