Security Fixes; PDF Viewer in Firefox 19

Wednesday, February 20, 2013 @ 01:02 PM gHale


Mozilla released Firefox 19, the latest version of its flagship browser, which includes not only fixes for a number of serious security vulnerabilities but also a built-in PDF viewer.

The native PDF viewer in Firefox could help protect against some of the ongoing attacks that use vulnerabilities in Adobe Reader and other PDF readers as infection vectors.

RELATED STORIES
Firefox: Silent Add-ons Possible
New Opera Release Fixes Holes
Chrome Updated, Fixes Security Holes
Mozilla Closes Critical Holes

Attackers have focused on Reader and Acrobat vulnerabilities for several years now, although the sandbox that Adobe added to Reader X and later versions has helped protect users against exploits. However, a sandbox only goes so far as last week found the first confirmed Reader escape exploit. Adobe patched that vulnerability on Tuesday.
Mozilla officials said the inclusion of the built-in PDF viewer should make life a little easier for Firefox users when they encounter a PDF on a site.

“Firefox for Windows, Mac and Linux introduces a built-in browser PDF viewer that allows you to read PDFs directly within the browser, making reading PDFs easier because you don’t have to download the content or read it in a plugin like Reader. For example, you can use the PDF viewer to check out a menu from your favorite restaurant, view and print concert tickets or read reports without having to interrupt your browsing experience with extra clicks or downloads,” Mozilla said.

In addition to the PDF viewer, Mozilla also fixed several serious security bugs in the browser, including a number of use-after-free flaws and some memory corruption vulnerabilities. But the most serious of the security issues fixed in Firefox 19 is a problem with phishing on HTTPS connections. The bug, discovered by Michal Zalewski of Google, is the result of the way that some proxies display 407 error messages.”

Zalewski reported an issue where the browser displayed the content of a proxy’s 407 response if a user canceled the proxy’s authentication prompt. In this circumstance, the address bar will continue to show the requested site’s address, including HTTPS addresses that appear to be secure. This spoofing of addresses works for phishing attacks by fooling users into entering credentials, for example,” the Mozilla advisory said.



Leave a Reply

You must be logged in to post a comment.