From eWeek: Mozilla is out today with its latest milestone Firefox release, this time providing security fixes as well as new functionality in the open-source Web browser.
The Firefox 26 release first entered beta in early November. From a security feature perspective, the big change that Firefox 26 introduces is the concept of "click-to-play" plug-ins. Prior to Firefox 26, plug-ins such as Java would just load inside the browser whenever required by a given Website, and without the need for any specific user interaction.
With Firefox 26, Mozilla has now restricted the ability of Java plug-ins to auto-load and automatically run. Other competitive Web browsers, including Apple's Safari 7, already enable the same type of functionality. One of the primary differences between Firefox 26's click-to-play implementation and Safari 7's is that Firefox currently does not block Flash media content with click-to-play. The risk from automatically enabled plug-ins is that a user could potentially be directed to a malicious Website where a plug-in is used to automatically deliver some form of malware payload.
The plan is to expand the click-to-play effort in future releases of Firefox.
"The latest release of Firefox will continue to enable all plug-ins—except Java—by default while the click-to-play feature goes through additional testing in beta," Chad Weiner, product manager for Firefox, told eWEEK. "In the coming weeks, we will announce details of a plug-in whitelist policy that will provide a path to exempting certain plug-ins and Websites from our click-to-play policy."
From a security patch perspective, Mozilla has attached 14 security advisories to the Firefox 26 release, with five marked as critical. Three of the critical advisories deal with use-after-free memory errors. Use-after-free memory vulnerabilities occur when unused authorized memory remains accessible to other programs, enabling attackers to potentially execute arbitrary code.
Two of the three use-after-free memory vulnerabilities were reported to Mozilla by security researchers working with the BlackBerry Security Automated Analysis Team. Mozilla first began partnering with BlackBerry for security in July. The BlackBerry research team used Address Sanitizer—a widely used open-source tool for discovering memory flaws that was originally built by Google—to find the flaws.
View: Article @ Source Site
