Firefox 20 was just released yesterday, marking also the 15th anniversary. 3 critical, 11 total security fixes are in Ff 20. Also, new private browsing updates were made as well as the ability to close hanging plugins without the browser hanging.
Mozilla detailed the security fixes, which includes the critical and high risk categories:
- CRITICAL: MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)
- CRITICAL: MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
- CRITICAL: MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
- HIGH: MFSA 2013-31 Out-of-bounds write in Cairo library
- HIGH: MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
- HIGH: MFSA 2013-34 Privilege escalation through Mozilla Updater
- HIGH: MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
Other than all that, there were more performance tweaks, as usual, as well as much improved HTML5 tools.
Mozilla is planning to fixes in Ff 21: known HTML5 video bug on being able to use copy actions, browsing and download history pairing, and function keys that don’t work when pressed. Other info on updates and issues, look here.
In Firefox, if you’re not automatically prompted to update, then do so as soon as possible by clicking the Firefox tab at the top left corner of the browser, hovering over Help >, click on About Firefox. You may also have to click Check for updates in the window that pops up. You should be patched.
Once you install Firefox, it will ask to restart your browser. Please allow it to do so, in order for it to finish updating and get you secure and well on your way in the dangers of the Internet.
Feel free to comment at any time.
Firefox 18 has been released.
According to a post on Mozilla’s blog yesterday, Firefox 18 also comes with an awesome new phishing and malware protection component. Therefore, now the browser will warn users when they browse sites that are phishing or malware.
Firefox 18 now supports Retina enhanced-resolution for MacBook Pro devices. So, if you’re wanting to use Retina to your advantage when browsing the web, you have it.
Other than all that, it’s cool! Download from http://www.getfirefox.com or press the Firefox tab in the browser > Help > About Firefox, Check for Updates.
After a little over a month since the release since Firefox 14, version 15 got released yesterday fixing about 2,200 bugs. Other than that, 16 critical security vulnerabilities have been addressed. Of course, the normal memory management tweaks were made to make the user experience smoother and more responsive. It continues to utilize the hidden update features, making the updates for it silent. Then, afterward prompts you to restart Firefox to finish updating. This version is most recommended, and you should update now to protect against security threats and exploits.
You can update now at: https://www.mozilla.com
- Firefox 15 released: Seven critical vulnerabilities patched and stealthy updates too! (nakedsecurity.sophos.com)
- Debunking A Misconception About Firefox Releases (mozilla.org)
In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.
Q: How to protect from this atrocity?
Q: Are Sirefef and ZeroAccess the same thing?
A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.
Q: Can the ZeroAccess virus infect my flash drive?
A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.
Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?
All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.
Q: What is Sirefef, how did it infect my computer, or when are new variants released?
Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.
Q: How did Sirefef infect me?
Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.
Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.
Those whom do not have proper Internet security protection will fall victim to exploits.
Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.
It is highly recommended to have proper Internet security protection! We recommend you to read that post and pick out a premium antivirus program for your computer RIGHT AWAY!
Java exploitation has been a problem for years. Many of the issues encountered with Java exploitation are usually because versions are out-of-date.
“As the Advanced Malware Analysts administrator/group owner, I see a lot of issues with people not updating Java, Flash Player, and Reader. These attack vectors were used 5 or so years ago, up until today. Still a complete problem. Problem is, people do not use great tools like Secunia PSI or the auto-update feature in each of the plugins’ control panels,” says Jay Pfoutz – administrator and group owner of the Advanced Malware Analysts. The Advanced Malware Analysts are a group of malware analysts whom volunteer on tech support forums across the web to assist in malware removal for free.
Exploitation frequently happens when people fail to update their plugins in a timely manner. Java plugin problems lately have increased because attackers are now targeting Java a lot more.
Here is how to check for the latest updates for Java (should be done weekly):
- If using Mozilla Firefox, Plugin Check is the easiest way.
- Click Start, navigate to Control Panel. Look for Java in the list, and double-click on that. Click the “Update” tab, and then click the “Check for Updates Automatically” check box if you want Java to search for updates automatically. Select how you want Java to notify you about available updates. Or you can hit the Update Now button. More info here
- Verify Java Version Online
- Microsoft: Update Java or kill it (zdnet.com)
- Java vulnerabilities increasingly targeted by attackers, researchers say (infoworld.com)
- New Mac malware uncovered as Mountain Lion is released (apple24seven.wordpress.com)
The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
- Firefox 14
- Firefox ESR 10.0.6
- Thunderbird 14
- Thunderbird ESR 10.0.6
- SeaMonkey 2.11
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, bypass security restrictions, or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Mozilla Foundation Advisory for Firefox 14, Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any necessary updates to help mitigate the risk.