Firefox updated...

Firefox v 23.0 released

Firefox v 23.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

http://www.mozilla.org/en-US/firefox/23.0/releasenotes/

Security Advisories
Fixed in Firefox 23

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-74 Firefox full and stub installer DLL hijacking
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefox.html
 
Firefox v23.0.1 released

FYI...

Firefox v23.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

- https://www.mozilla.org/en-US/firefox/23.0.1/releasenotes/
August 16, 2013
FIXED 23.0.1 - Rendering glitches on H.264 video only in FF23 on Vista (901944)
FIXED 23.0.1 - Spellchecking broken with non-ASCII characters in profile path (902532)
FIXED 23.0.1 - Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls (901527) ...

:fear:
 
Firefox v24.0 released

FYI...

Firefox v24.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Sep 17, 2013

Security Advisories for v24.0:
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox24
Fixed in Firefox 24
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

Release notes
- https://www.mozilla.org/en-US/firefox/24.0/releasenotes/

... complete list of changes in this release... 543 bugs found.
___

- http://www.securitytracker.com/id/1029042
CVE Reference: CVE-2013-1718, CVE-2013-1719, CVE-2013-1720, CVE-2013-1721, CVE-2013-1722, CVE-2013-1723, CVE-2013-1724, CVE-2013-1725, CVE-2013-1726, CVE-2013-1727, CVE-2013-1728, CVE-2013-1729, CVE-2013-1730, CVE-2013-1731, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737, CVE-2013-1738
Sep 17 2013
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.0; prior to ESR 17.0.9 ...

:fear::fear:
 
Last edited:
Firefox v25.0 released

FYI...

Firefox v25.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Oct 29, 2013

Security Advisories for v25.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox25
Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Release notes
- https://www.mozilla.org/en-US/firefox/25.0/releasenotes/

... complete list of changes in this release... 565 bugs found.
___

- https://secunia.com/advisories/55520/
Release Date: 2013-10-30
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, System access
... vulnerabilities are reported in versions prior to 25.
Solution: Upgrade to version 25.

- http://www.securitytracker.com/id/1029270
CVE Reference: CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5598, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604
Oct 30 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 25.0 ...
Solution: The vendor has issued a fix (25.0)...

:fear::fear:
 
Last edited:
Firefox v25.0.1 ..

FYI...

Firefox v25.0.1 ...

From an admin. account, start Firefox, then >Help >About >Check for Updates ...

- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox25.0.1
Fixed in Firefox 25.0.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
- https://www.mozilla.org/security/announce/2013/mfsa2013-103.html
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 - 2.6
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5605 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606 - 6.4
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5607 - 7.5 (HIGH)

- https://secunia.com/advisories/55732/
Release Date: 2013-11-19
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, System access
Solution Status: Vendor Patch...
For more information: https://secunia.com/SA55557/
Solution: Update to a fixed version.
Original Advisory: Mozilla:
https://www.mozilla.org/security/announce/2013/mfsa2013-103.html

:fear::fear:
 
Last edited:
Firefox v26.0 released

FYI...

Firefox v26.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for v26.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox26
Fixed in Firefox 26
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

Release notes
- https://www.mozilla.org/en-US/firefox/26.0/releasenotes/
Dec 10, 2013

... complete list of changes in this release... 676 bugs found.
___

- https://secunia.com/advisories/56005/
Release Date: 2013-12-10
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
CVE Reference(s): CVE-2013-5609, CVE-2013-5610, CVE-2013-5611, CVE-2013-5612, CVE-2013-5613, CVE-2013-5614, CVE-2013-5615, CVE-2013-5616, CVE-2013-5618, CVE-2013-5619, CVE-2013-6629, CVE-2013-6630, CVE-2013-6671, CVE-2013-6672, CVE-2013-6673
... security issue and the vulnerabilities are reported in versions prior to 26.
Solution: Upgrade to version 26.

:fear:
 
Last edited:
Firefox v27.0 released

FYI...

Firefox v27.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for v27.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox27
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-10 Firefox default start page UI content invokable by script
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-06 Profile path leaks to Android system log
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

Release notes
- https://www.mozilla.org/en-US/firefox/27.0/releasenotes/
Feb 4, 2014

... complete list of changes in this release... 659 bugs found.
___

- http://www.securitytracker.com/id/1029717
CVE Reference: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1480, CVE-2014-1481, CVE-2014-1482, CVE-2014-1483, CVE-2014-1485, CVE-2014-1486, CVE-2014-1487, CVE-2014-1488, CVE-2014-1489, CVE-2014-1490, CVE-2014-1491
Feb 5 2014
Impact: Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 27.0 ...
Solution: The vendor has issued a fix (27.0)...

- https://secunia.com/advisories/56787/
Release Date: 2014-02-05
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, System access
For more information: https://secunia.com/SA56767/
Solution: Upgrade to version 27.

:fear:
 
Last edited:
Firefox 28.0 released ...

FYI...

Firefox 28.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 28.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox28
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

Release notes
- https://www.mozilla.org/en-US/firefox/28.0/releasenotes/
Mar 18, 2014

... complete list of changes in this release... 865 bugs found.
___

- http://www.securitytracker.com/id/1029928
CVE Reference: CVE-2014-1493, CVE-2014-1494, CVE-2014-1496, CVE-2014-1497, CVE-2014-1498, CVE-2014-1499, CVE-2014-1500, CVE-2014-1501, CVE-2014-1502, CVE-2014-1504, CVE-2014-1505, CVE-2014-1506, CVE-2014-1507, CVE-2014-1508, CVE-2014-1509, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514
Mar 19 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 28.0 ...
Solution: The vendor has issued a fix (28.0)...
___

- https://www.computerworld.com/s/article/9247062/Mozilla_patches_20_Firefox_flaws_plugs_Pwn2Own_holes
Mar 19, 2014 - "... Firefox 28 was primarily a security update, patching the five Pwn2Own flaws and 15 others..."
___

Firefox 28.0.1 for Android
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox28.0.1

- https://www.mozilla.org/security/announce/2014/mfsa2014-33.html

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1515
"... Firefox before 28.0.1 on Android processes a file: URL by copying a local file onto the SD card, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application..."

:fear:
 
Last edited:
Firefox 29.0 released ...

FYI...

Firefox 29.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 29.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox29
Fixed in Firefox 29
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-40 Firefox for Android addressbar suppression
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

Release notes
- https://www.mozilla.org/en-US/firefox/29.0/releasenotes/
Apr 29, 2014

... complete list of changes in this release... 3892 bugs found.
___

- https://addons.mozilla.org/en-US/firefox/addon/status-4-evar/versions/
April 27, 2014
___

- http://www.securitytracker.com/id/1030163
CVE Reference: CVE-2014-1518, CVE-2014-1519, CVE-2014-1520, CVE-2014-1522, CVE-2014-1523, CVE-2014-1524, CVE-2014-1525, CVE-2014-1526, CVE-2014-1527, CVE-2014-1528, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531, CVE-2014-1532
Apr 30 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 29.0 ...
Solution: The vendor has issued a fix (29.0)...

:fear:
 
Last edited:
Firefox 30.0 released ...

FYI...

Firefox 30.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 30.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox30
Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Release notes
- https://www.mozilla.org/en-US/firefox/30.0/releasenotes/
June 10, 2014

... complete list of changes in this release... 3622 bugs found.
___

- http://www.securitytracker.com/id/1030388
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1539, CVE-2014-1540, CVE-2014-1541, CVE-2014-1542, CVE-2014-1543
Jun 11 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 30.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can conduct clickjacking attacks.
Solution: The vendor has issued a fix (30.0)...

:fear::fear:
 
Last edited:
Firefox 31.0 released

FYI...

Firefox 31.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-

Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 31.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox31
Fixed in Firefox 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Release notes
- https://www.mozilla.org/en-US/firefox/31.0/releasenotes/
July 22, 2014

... complete list of changes in this release... 3025 bugs found.
___

- http://www.securitytracker.com/id/1030619
CVE Reference: CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1551, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560, CVE-2014-1561
Jul 22 2014
Impact: Denial of service via network, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.0 ...

:fear:
 
Last edited:
Firefox 32.0 released

FYI...

Firefox 32.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 32.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32
Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8 )

Release notes
- https://www.mozilla.org/en-US/firefox/32.0/releasenotes/
Sep 2, 2014

... complete list of changes in this release... 3198 bugs found.
___

- http://www.securitytracker.com/id/1030793
CVE Reference: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567
Sep 3 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 31.1, 32.0 ...

:fear:
 
Last edited:
Firefox 32.0.1 released

FYI...

Firefox 32.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.1/releasenotes/
Sep 12, 2014
Fixed: 32.0.1 - Stability issues for computers with multiple graphics cards
Fixed: 32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

Mobile:
- https://www.mozilla.org/en-US/mobile/32.0.1/releasenotes/
Fixed: 32.0.1 - Link tap selection is offset on some Android devices
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

:fear:
 
Last edited:
Firefox 32.0.3 released

FYI...

Firefox 32.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.3/releasenotes/
September 24, 2014
Fixed: 32.0.3: New security fixes can be found here*
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS
> https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

> https://www.us-cert.gov/ncas/curren...k-Security-Services-NSS-Library-Vulnerability
Sep 24, 2014

- http://www.kb.cert.org/vuls/id/772676
24 Sep 2014 - "... This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate..."

- http://www.securitytracker.com/id/1030901
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 - 7.5 (HIGH)
Sep 24 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions ESR 24.8.1, ESR 31.1.1, 32.0.3 ...

:fear::fear:
 
Last edited:
Firefox 33.0 released

FYI...

Firefox 33.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 33.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox33
Fixed in Firefox 33
MFSA 2014-82 Accessing cross-origin objects via the Alarms API
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-80 Key pinning bypasses
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-78 Further uninitialized memory use during GIF
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Release notes
- https://www.mozilla.org/en-US/firefox/33.0/releasenotes/
Oct 14, 2014

... complete list of changes in this release... 3422 bugs found.
___

- http://www.securitytracker.com/id/1031028
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1583, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586
Oct 14 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 33.0 ...
___

Mozilla to disable encryption feature in next Firefox browser due to 'Poodle' bug
- http://www.reuters.com/article/2014/10/15/cybersecurity-encryption-mozilla-idUSL3N0SA04O20141015
Oct 14, 2014 - "Mozilla said it will -disable- Secure Sockets Layer (SSL) encryption in the latest version of its Firefox web browser that will be released on Nov. 25 after a security bug called "Poodle" was discovered in a web encryption technology. "By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user's private account data on a website," Mozilla said in its blog*. SSL 3.0 will be disabled by default in Firefox 34, Mozilla said. The code to disable the security protocol will be available shortly via Mozilla Nightly, an in-development version of Mozilla's browser. Mozilla also said that Firefox 35 will support a generic Transport Layer Security (TLS) downgrade protection mechanism called SCSV (Signaling Cipher Suite Value), as a precautionary measure..."
* https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Oct 14, 2014 - "Summary: SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS)..."

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/library/security/3009008.aspx
Oct 14, 2014

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
Last revised: 10/14/2014

:fear:
 
Last edited:
Back
Top