Mozilla has published an important new edition of Firefox, including solutions for over a dozen security vulnerabilities as well as an essential change which makes all Java plugins click-to-run by default. This feature prevents those plugins from running instantly on Web pages, which will help protect consumers against some drive by attacks.
The alteration to the method that Firefox 26 uses plugins is a substantial security benefit for users, particularly those who might not be mindful of the security problems that plugins can cause. Attackers make use of vulnerabilities in plugins such as Java, Flash and Silverlight to compromise users who visit a site that has content that is automatically rendered by those plug-ins. Mozilla began the process of changing the way that Firefox treats plugins earlier this year, but this is the first time that the change shows up in the final form of the browser.
“Even though many users are not even aware of plugins, they are a significant source of hangs, crashes, and security incidents. By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly,” Benjamin Smedberg blogged earlier this year about the upcoming change to Firefox’s handling of plugins.
Besides the change in plugin behavior, Firefox 26 also offers fixes for several vulnerabilities, including five critical ones. A major fix within the new browser is Mozilla actively revoking trust in an intermediate certificate issued by the Agence Nationale de la Sécurité des Systèmes d’Information in France. The certificate was utilized to issue certificates for many of Google’s domains by accident. Google researchers detected the situation and revoked trust for the certificate, as well, and informed other browser suppliers. Mozilla officials said they don’t think that the mistake put any users in danger, outside of the certificate authority’s network.
“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to the subordinate CA’s internal network,” Kathleen Wilson of Mozilla added.