Firefox 36 Fixes Critical Flaws

Mozilla has released Firefox 36, which includes fixes for 17 security issues. Three of the flaws are considered critical. The newest version of the browser also supports the HTTP/2 protocol. Read what’s new in this version of Firefox here.

The big emphasis in Firefox 36 is in the area of Web security. Starting with Firefox 36, Mozilla is now phasing out a number of 1,024-bit root certificates that are used for Web encryption. The move is part of a planned migration toward more secure encryption certificates that use 2,048-bit or higher encryption keys.

Also as part of Firefox 36, the browser is no longer accepting insecure RC4 encryption ciphers. RC4 at one point was a widely deployed encryption technology, but it has been shown to be theoretically exploitable.

Read the news story here.

Mozilla Releases Firefox 34

This week Mozilla released Firefox 34.0.5. Users of this browser will notice that the default search engine in Firefox 34 is Yahoo, rather than Google. Also included in this version are an improved search bar, and the launch of WebIDE (the replacement for App Manager). SSL 3.0 support has been removed from this update due to known security issues.

Read the Notes for Firefox 34.0.5

Firefox Enhances SSL Security

Mozilla recently released Firefox 32 to improve browser security. The newest incarnation of the browser now includes public key pinning in an effort to protect users from man-in-the-middle attacks. “Key pinning allows site operators to specify which certificate authorities (CAs) may issue valid certificates for them, rather than accepting any of the many CAs that are trusted.” Read the full story in the news.

Note that this version of Firefox is not currently supported by IS&T. Learn more about certificates at MITSupported browsers at MIT.

Software Patches for Adobe and Mozilla Products

Adobe

Adobe has issued security updates to address critical flaws in Reader, Acrobat, Flash Player and ColdFusion. The updates for Reader and Acrobat address a total of 27 vulnerabilities, 24 of which could be exploited to execute arbitrary code (malware). The updates for Flash address 13 vulnerabilities, and a hotfix for ColdFusion addresses two flaws.

Read the details in the news.

Mozilla

Mozilla has released Firefox 21, which addresses 13 security issues in the previous version of the browser. Firefox 21 also introduces a feature called “Health Report,” which lets users see information about the browser’s performance, including start-up times, total running time, and crashes, as well as the number of plug-ins, add-ons, and bookmarks. Mozilla has also released Firefox 21 for Android.

Read the details in the news.

NOTE FOR THE MIT COMMUNITY: Information Services & Technology recommends that, if you are accessing MIT enterprise applications, such as SAPweb and Employee Self Service, to remain using Firefox ESR, available from the Software grid.

Silent Updates Now Available for Firefox

Firefox 12 is now available. The newest version of the browser incorporates an element of its planned silent updates. Users of Windows Vista and Windows 7 will notice that after the initial installation of the newest version of Firefox, the updates will no longer trigger the user account control prompt, which requires users to agree when programs are installed. The final components necessary for silent updating will appear in Firefox 13 or 14, which are slated to ship on June 5 and July 17, respectively.

On April 24 Mozilla also retired Firefox 3.6; users who have admin rights to their computers and who have not already updated will find themselves automatically updated to Firefox 12.

IS&T will be supporting Firefox ESR (Extended Support Release) for the MIT community. It allows IT admins who maintain a desktop environment to manage updates of Firefox. An announcement about this from IS&T is to be released soon.

Read the story in the news.

Safer Browsing With Extensions

Did you know that you can make your browser even more secure by installing extensions? Let’s take Firefox as an example and look at some Firefox add-ons that are designed to protect you when browsing the Web:

  • Want to prevent ads from appearing on the sites you visit and that could potentially take you to more dangerous sites? Install Adblock Plus.
  • Need protection against JavaScript, Java and other executable content that could cause cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking) and Clickjacking attempts? Install NoScript.
  • Would you like to know which sites to trust? Install WOT.
  • Want to know in which country the web server resides that you’re connected to? Install Flagfox.
  • Want to preview sites before you click on their links? Install CoolPreviews.
  • Ever wonder if you’re being tracked by Google, eBay or YouTube and want to block them? Install BetterPrivacy or Ghostery.

See the extensions for the top main browsers:

Browsers with Updates

On August 23, 2011, Google released Chrome 13.0.782.215 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to review the Google Chrome Releases page and update to Chrome 13.0.782.215 to help mitigate the risks.

On August 17, 2011 Mozilla Released Firefox 6 and 3.6.20 to address multiple vulnerabilities.  These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or obtain sensitive information. US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 6 and Firefox 3.6.20 and apply any necessary updates to help mitigate the risks.

NOTE to MIT: IS&T is not yet supporting Firefox 6 and is in the process of testing IS&T supported applications to make sure they are compatible with the newest version of Firefox. If you rely on MIT administrative browser-based software, you are advised to WAIT to upgrade to Firefox 6.