Last week, Mozilla released Firefox 23 for Mac OS X, which included 13 fixes for known vulnerabilities (4 Critical, 7 High, 1 Moderate, 1 Low), and comes bundled with a new security feature called the Mixed Content Blocker. Among the critical issues resolved in this update were several memory safety bugs that, presumably, with enough effort could be exploited to run arbitrary code. All of the critical bugs fixed in Firefox 23 could cause a potentially exploitable crash.
Multiple cross-site scripting (XSS) issues were fixed with Firefox 23. For instance, this update fixed a problem with an interaction of frames and browser history that made it possible for the browser to believe “attacker-supplied content came from the location of a previous page in browser history,” a high vulnerability that allows for cross-site scripting (XSS) attacks. For all versions of Firefox before 23, the vulnerabilities identified as “high” can be used to gather sensitive data from other sites that a user is visiting or inject data or code into those sites.
Following is a complete list of the security issues resolved in the Firefox 23 update:
- MFSA 2013-75 Local Java applets may read contents of local file system
- MFSA 2013-74 Firefox full and stub installer DLL hijacking
- MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
- MFSA 2013-71 Further Privilege escalation through Mozilla Updater
- MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
- MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
- MFSA 2013-68 Document URI misrepresentation and masquerading
- MFSA 2013-67 Crash during WAV audio file decoding
- MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
- MFSA 2013-65 Buffer underflow when generating CRMF requests
- MFSA 2013-64 Use after free mutating DOM during SetBody
- MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
Mozilla’s Firefox 23 also brings Mixed Content Blocking, an interesting new security feature that will try to prevent man-in-the-middle attacks and protect users from eavesdroppers on HTTPS pages. The Mozilla blog provided additional information about the new feature, including the following:
When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. [...] Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.
You can click through to the Mozilla blog for further details about how the browser will inform users about a potential security threat.
Users can update their software to the latest version on your Mac by using the browser’s internal updater (go to Firefox > About Firefox > Check for Updates). You can also head over to Mozilla’s download page to get Firefox 23 on your Mac.