Firefox 7 Updates for Security, not SSL
Firefox 7 isn't just about speed, there's also a long list of security patches. Surprisingly, a fix for the SSL BEAST attack is not one of them.
Mozilla is patching it's Firefox Web browser for at least 10 vulnerabilities, seven of which are rated as being "critical." Firefox 7 was released on Tuesday offering users the promised of improved perfomance and better memory usage.
On the security front, the Firefox 7 release provides a critical fix for what Mozilla describes as, "Miscellaneous memory safety hazards."
"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla stated in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."
There is also a critical fix for an interesting flaw that could have been triggered by having a user hold down the 'Enter' key. By holding down the key, code could potentially be installed without a user's knowledge.
"Mariusz Mlynski reported that if you could convince a user to hold down the Enter key -- as part of a game or test, perhaps -- a malicious page could pop up a download dialog where the held key would then activate the default Open action," Mozilla warned.
Other critical flaws that are fixed in Firefox 7 include potentially exploitable crashes in WebGL graphics and the YARR regular expression library. Firefox 7 also provides a fix for a high impact flaw where cross-site scripting (XSS) could have been enabled via plugins.
There is also a fix in Firefox 7 for a flaw rated as "moderate" that is triggered by the motion of a device. Mozilla's advisory noted that a recent research paper detailed how it would be possible to inferring keystrokes from device motion data on mobile devices.
"Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk," Mozilla warned. "We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher keystrokes the user is entering into the foreground tab."
While Firefox 7 addresses multiple security issues, it is not taking specific aim at the recent disclosure of potential SSL vulnerabilities. The SSL BEAST attack was disclosed last week by Researchers Thai Duong and Juliano Rizzo.
The SSL BEAST attack specifically affects the TLS 1.0 specification that Firefox currently uses. TLS 1.1 is not affected by the attack.
"We are close to having TLS 1.1 support for Firefox," Brian Smith, platform engineer at Mozilla said in an email sent to InternetNews.com. "It is important to note that very, very few websites support TLS 1.1. That is why we are investing into workarounds that prevent these attacks even for SSL 3.0 and TLS 1.0. "
Overall, Mozilla has publicly noted that they do not believe Firefox to currently be at risk from the SSL BEAST attack
September 09, 2011
Open source browser vendor gives certificate authorities one week to prove they are secure.