Firefox 24 fixes many serious vulnerabilities

Mozilla has released version 24 of Firefox and Thunderbird. Firefox 24, which fixes 10 critical and 10 lesser vulnerabilities, becomes the new Extended Support Release. This version also removes support for Certificate Revocation Lists (CRLs).

Mozilla has released new versions of Firefox and the Thunderbird email client. The new version adds many new features and fixes many serious vulnerabilities.

This version becomes the new Extended Support Release, a version which will be maintained with security updates for about one year. It takes over from version 17.

10 Critical vulnerabilities, 4 rated High and 6 rated Moderate are fixed in this version. Nine of the critical vulnerabilities are memory management errors and one an integer overflow; all could lead to malicious code execution.

Many of the vulnerabilities technically apply to Thunderbird, but in practice cannot be exploited because they require features, like scripting, which are disabled in email.


Version 24 also adds several new features. One is support for a new scrollbar style in Mac OS X 10.7 and later. As the nearby image shows, it implements "Close tabs to the right." You can also tear off chat windows by dragging them off the main window in order to use them separately. There are also several performance improvements and other feature tweaks.

Version 24 also removes support for Certificate Revocation Lists (CRLs), the original method for certificate authorities to advertise the revocation of a digital certificate, typically for SSL/TLS.  CRLs are static lists of certificate IDs; they can get large and be cumbersome to manage. For many years the preferred method has been OCSP (Online Certificate Status Protocol), a programming interface with which a client can query the CA about one specific certificate. A new method called OCSP Stapling speeds up the process.

The justification for dropping CRLs makes clear that they are both a pain and obsolete. Google Chrome already does not support them, nor does Firefox Mobile.