The Mac Security Blog
The Mozilla Foundation has released Firefox 10, the latest version of their web browser, which fixes eight vulnerabilities, six of which are rated critical. These include memory corruption issues, cross-scripting vulnerabilities and more. (See the Firefox security advisory.)
Firefox 10 also features some “powerful new developer tools,” for web designers, and a new system for checking add-on compatibility.
The Mozilla Foundation also released Firefox 3.6.26, with patches for five vulnerabilities, because some people are still using the two-year old version of the program for compatibility reasons.
Users can automatically update their copy of Firefox by launching it, choosing Firefox > About Firefox, and clicking Check for Updates. Alternatively, you can download a copy here, or, for version 3.6.26, here.
The Mozilla Foundation has released Firefox 9 (it seems like just a few months age we were using Firefox 4…), and, with it, has fixed several memory safety bugs in the browser engine and in other programs, such as Thunderbird and SeaMonkey. These vulnerabilities were not critical, but, as the Mozilla Foundation’s security advisory says, “we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
The Mozilla Foundation also released Firefox 3.6.25, with a single fix related to Java .jar files. This version of Firefox, for older versions of Mac OS X, is not seeing any more updates.
As usual, you can download a copy of Firefox, or launch your current copy and have it automatically update.
The Mozilla Foundation is considering dropping Firefox support for Mac OS X 10.5 Leopard in June 2012, when Firefox 13 is released. While 24% of current Firefox users run Leopard, the Mozilla Foundation feels that this number will drop to around 13% of users. Currently, only 14% of Firefox users run Mac OS X 10.7 Lion, and 53% run 10.6 Snow Leopard.
This is important, because most of the main threats Mac users face come via the Internet. The web browser is one of the most crucial tools in computer security, and if a browser is no longer supported for a specific platform, users will not be able to upgrade and take advantage of security updates. Given the high number of Firefox users running Leopard, this may be a problem if the numbers don’t drop as much as the Mozilla Foundation’s projections.
Apple has also stopped supporting Leopard, and Mac users running Leopard should at least consider upgrading to Snow Leopard, if possible, to ensure that they remain eligible for security updates. While many users running older operating systems do so because their computers cannot run newer versions of Mac OS X, those which can should be upgraded, at least for security reasons.
The Mozilla Foundation has released Firefox 8, the latest version of their web browser. This update notably fixes six security issues, three of which are critical. In addition, Firefox 8 adds a new interface for installing and removing add-ons. Users must clearly opt in to the installation of new add-ons, and will have clearer options about disabling add-ons when upgrading the program. While Firefox already has an Add-ons Manager, which offers this latter feature, the new interface will be a bit clearer for users who don’t access that tool.
Firefox users can update their version of the browser by choosing Firefox > About Firefox, then clicking on Check for Updates. You can also download a copy of the program here.
The Mozilla Foundation has also released an update for their Thunderbird e-mail client. This update fixes six security flaws, and can be downloaded here.
The Mozilla Foundation has released Firefox 7 (it seems like they released version 6 not long ago…), and, together with optimizations to the browser and its features, there are eight security fixes, six of which are critical. Users can update their version of Firefox using the program’s built-in auto-updater (choose Firefox > About Firefox, then Check for Updates), or download a new version here.
We recently reported about fraudulent SSL certificates issued by DigiNotar, a Dutch certificate authority. The extent of this problem has slowly become apparent, as it was found that the breach was due to “disastrous security” at the company, and the certificates were pulled on browsers but not on smartphones.
The Mozilla Foundation has released Firefox 6.0.2, as well as updates to other programs (Firefox Mobile 6.0.2, Firefox 3.6.22, Thunderbird 6.0.2, Thunderbird 3.1.14 and SeaMonkey 2.3.3) to fix some of the problems relative to these certificates. A previous update blocked DigiNotar’s certificates, but this update distrusts all DigiNotar certificates and several intermediates.
Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority. Importantly this list of distrusted certificates includes the “PKIOverheid” (PKIGovernment) intermediates under DigiNotar’s control that did not chain to DigiNotar’s root and were not previously blocked.
Certificates stolen include some for the CIA, MI6 and Mossad, so this issue is clearly shaking the weak foundation of the SSL protocol, showing how easy it is to circumvent.
So make sure to update Firefox if you use it. We can expect a security update from Apple soon to deal with these same problems.