"The critical flaws, which can be leveraged by an attacker to run arbitrary code and install malicious software without any user interaction, refer to use-after-free, buffer overflow and memory corruption issues identified with the aid of Address Sanitizer," writes Softpedia's Eduard Kovacs. "Other critical security holes include a CSS and HTML injection issue through Style Inspector, miscellaneous memory safety hazards, a buffer overflow when rendering GIF images, and a crash when combining SVG text on path with CSS."
"Firefox has also debuted a new security feature called 'click-to-play' which can automatically disable some popular plug-ins which may be out of date," writes redOrbit's Michael Harper. "Firefox 17 can also now detect when a user’s version of Flash, Java, Microsoft Silverlight or Adobe Reader are out of date and prevent them from running within the browser."
"Given the history of security problems associated with these plugins, this is an important feature," writes CIO.com's Bill Snyder. "Mozilla also plans to add more plugins to that list in the future."
"Click-to-play is only the latest in a series of steps Mozilla has taken this year to stymie attacks, including blocking outdated Java plug-ins on Macs last spring when the Flashback malware infected several hundred thousand machines, and wrapping up work on silent updates to emulate Google's long practice of removing updates from users' responsibility," writes Computerworld's Gregg Keizer.
"This is also the first new version of Firefox to completely drop support for OS X 10.5 -- Chrome dropped Leopard support in version 21 a few weeks ago, and Safari's last Leopard-supporting update came way back in July of 2011 with version 5.0.6," writes Ars Technica's Andrew Cunningham. "Opera 12, then, is the last major browser that continues to support the aging OS, and even in that case PowerPC support was dropped long ago. Leopard holdouts may want to rethink their decision not to upgrade."