Times are lean for Mozilla’s Firefox browser, no longer the second fiddle in the browser usage race, as it continues to fall behind Google Chrome and Internet Explorer and Edge for user market share. Into that environment Mozilla this week released a new stable release and a beta milestone of Firefox.
Firefox 41 expands on Mozilla’s Firefox Hello web collaboration effort by including a new instant messaging capability. The instant messaging capability extends the audio and voice features that Firefox Hello first introduced in the Firefox 34release in October 2014.
Firefox Hello leverages the WebRTC (Real Time Communication) protocol to enable its audio video and instant messaging capabilities. As a community, WebRTC is supported by Mozilla, Opera and Google. Mozilla is now also improving its WebRTC implementation security by requiring the use of Perfect Forward Secrecy (PFS) for SSL/TLS. In a typical SSL/TLS deployment there is a private encryption key that resides on the server. If that key is cracked by an attacker, there is the possibility that all the encrypted traffic on the server could be intercepted and decrypted. PFS generates an ephemeral key for each server transaction, providing the promise of improved encryption resiliency.
PFS isn’t the only security improvement in Firefox 41, with Mozilla issuing 18 security advisories as part of its browser update. Of those 18 advisories, four are rated by Mozilla as being critical, with all four relating to memory corruption and safety issues.
Digging into the advisories that Mozilla rates as having high impact, more memory issues are disclosed, including MSFA-2015-112, which caries the seemingly innocuous title of “vulnerabilities found though code inspection.” MSFA-2015-112 is actually eight different vulnerabilities all reported to Mozilla by security researcher Ronald Crane.
“These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and five memory safety bugs,” Mozilla warns in its advisory. “These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.”
There is also an interesting vulnerability that involves URL spoofing that Mozilla is rating as having a low impact.
“Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the addressbar in reader mode by manipulating the loaded URL,” MFSA-2015-103 warns. “This flaw allows for the URL displayed to be different than that the web content rendered.”
Looking forward, Mozilla is also out this week with a beta release of Firefox 42. The big new features that Mozilla is highlighting in Firefox 42 is Tracking Protection in Private Browsing mode. The idea ties in two different privacy related ideas that Mozilla has been talking about for years. Private Browsing mode first came to Mozilla in 2008 with the Firefox 3.1 release. The basic idea behind Private Browsing is to not store a user’s history or cookies from a given browser sessions. With Do Not Track, Mozilla introduced with Firefox 4in 2011, the idea is to give users a way to opt out of website tracking.
“Most websites rely on many different ‘third-parties’ — companies that are separate from the site you’re visiting — to provide analytics, social network buttons and display advertising,” Mozilla explained in a blog post. “These third-parties sometimes include page elements that could record your browsing activity to create profiles about you across multiple sites and Private Browsing with Tracking Protection in Firefox Beta blocks some of these page elements.”
Sean Michael Kerner is a senior editor at Datamation and InternetNews.com. Follow him on Twitter @TechJournalist
Photo courtesy of Shutterstock.