Firefox 24 fixes many serious vulnerabilities

Firefox 24 fixes many serious vulnerabilities

Summary: Mozilla has released version 24 of Firefox and Thunderbird. Firefox 24, which fixes 10 critical and 10 lesser vulnerabilities, becomes the new Extended Support Release. This version also removes support for Certificate Revocation Lists (CRLs).

SHARE:
TOPICS: Security, Browser
10

Mozilla has released new versions of Firefox and the Thunderbird email client. The new version adds many new features and fixes many serious vulnerabilities.

This version becomes the new Extended Support Release, a version which will be maintained with security updates for about one year. It takes over from version 17.

10 Critical vulnerabilities, 4 rated High and 6 rated Moderate are fixed in this version. Nine of the critical vulnerabilities are memory management errors and one an integer overflow; all could lead to malicious code execution.

Many of the vulnerabilities technically apply to Thunderbird, but in practice cannot be exploited because they require features, like scripting, which are disabled in email.

FF-close-tabs-to-right

Version 24 also adds several new features. One is support for a new scrollbar style in Mac OS X 10.7 and later. As the nearby image shows, it implements "Close tabs to the right." You can also tear off chat windows by dragging them off the main window in order to use them separately. There are also several performance improvements and other feature tweaks.

Version 24 also removes support for Certificate Revocation Lists (CRLs), the original method for certificate authorities to advertise the revocation of a digital certificate, typically for SSL/TLS.  CRLs are static lists of certificate IDs; they can get large and be cumbersome to manage. For many years the preferred method has been OCSP (Online Certificate Status Protocol), a programming interface with which a client can query the CA about one specific certificate. A new method called OCSP Stapling speeds up the process.

The justification for dropping CRLs makes clear that they are both a pain and obsolete. Google Chrome already does not support them, nor does Firefox Mobile.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • good job, Mozilla!

    I wonder, how does Mozilla manage to do that, and usually avoid the remote execution exploitation mess, their colleagues from Microsoft have to clean up so often?

    Does it concern some better coding techniques, smarter design, healthier ethics, or just more eyeballs doing their job as predicted by that famous Finn?
    eulampius
    • all could lead to malicious code execution.

      Guess you missed that part. What part of malicious code execution is good?
      greywolf7
    • They may be great programmers

      Go back through the history of Firefox updates. They've always had a lot of these bugs and they fix them, just like everyone else. OS X has them, Linux has them; bugs like these are an inevitable side-effect of the complexity of modern software, and browsers have gotten incredibly complex. They deal with complicated data structures, which is usually how these bugs show up.
      larry@...
      • Larry,

        You just wrote on that http://www.zdnet.com/microsoft-reports-ie-zero-day-attacks-7000020791/
        Microsoft seems to own the 0-day browser remote code execution bonanza, and BTW, it's their own territorial OS.

        MS should have come with a MAC system and offer it for all desktop OS they ship. You have a more insight there, how many more years would it take them to get something like AppArmor or SELinux?
        eulampius
        • Huh?

          >Microsoft seems to own the 0-day browser remote code execution bonanza, and BTW, it's their own territorial OS.

          And that makes FireFox have fewer remote code execution problems how?

          >MS should have shipped with a MAC system

          Why?

          > You have a more insight there, how many more years would it take them to get something like AppArmor or SELinux?

          That's something I'd like with Windows. AppArmor, that is.
          Michael Alan Goff
    • Huh?

      If you don't think Firefox has ever had to fix a flaw that deals with remote code execution, you're not paying attention to the list of bugs they fix. :|
      Michael Alan Goff
  • THUNDERBIRD 24 MAY NOT BE COMPATIBLE WITH LOOKOUT 1.2.13

    As usual, this winds up being a MICROSOFT problem ...

    When Outlook sends text in RTF format, MS uses a PROPRIETARY ATTACHMENT FORMAT, putting the information in a file called winmail.dat. With some versions of Outlook the winmail.dat file can't be read by non-Outlook email programs.

    A third-party add-on named Lookout 1.2.13 was developed to let Thunderbird see the contents of the winmail.dat file. Today I updated from Thunderbird 17 to 24 and now the winmail.dat files aren't displaying. I'm going to have to try to reinstall 17 over 24 and hope that corrects the problem.
    Rick_R
    • Huh?

      It's Microsoft's fault that a Thunderbird add-on doesn't work? It isn't the fault of the add-on maker, not the fault of the people making Thunderbird, it's the fault of a company that has nothing to do with the program or the add-on?
      Michael Alan Goff
  • Browser Forgiveness

    Firefox...it's so forgiving. What's up? Come on in dude. What's that you're carrying? Meth, firearms, a bot???
    CoyoteC
  • Firefox just increases the version number

    I remember when i was studying software versioning in all articles there has been "the first number in software version indicates major update, the second decimal number indicates minor update and the third decimal number indicates bug fixes" .
    What Mozilla and some others do is they just increase the version number no improvement or new feature to end users. they could release this with 23.0.1 not 24
    fawad.mz