Security Experts:

Firefox 44 Drops RC4, Gets Push Notifications

Firefox 44, the latest version of Mozilla’s web browser, is now available for download and comes with a series of security patches, and has fully removed support for the RC4 cipher.

Released on Tuesday, the latest iteration of the application is meant to resolve various vulnerabilities, including five that are rated Critical, three rated High, six Moderate, and one low risk issue. It also brings new features to Windows, Mac and Linux machines, the most notable of which is support for push notifications from websites.

In addition to resolving security flaws, the browser improves security by no longer trusting the Equifax Secure Certificate Authority 1024-bit root certificate or the UTN - DATACorp SGC for certificate validation, the release notes reveal. It also uses a SHA-256 signing certificate for Windows builds, to meet new signing requirements, and also removes support for the old and vulnerable RC4 cipher.

RC4 has been around since 1987 and has been widely used in web applications and online services, but vulnerabilities in it were found to allow attackers easily crack it. Last year, researchers discovered both new attacks against RC4 and the fact that such attacks are increasingly practical and feasible, and browser makers decided to kill support for it.

Given that Mozilla has completely removed support for RC4 in Firefox 44, users will no longer be able to connect to servers that require the encryption cipher. Many sites still offer support for RC4, as F5 Networks evangelist David Holmes explained in a November 2015 SecurityWeek column, but Mozilla says that “Firefox users encounter them at very low rates.”

Mozilla’s Firefox 44 security advisory reveals that the browser patches three unsafe memory manipulation flaws discovered by researcher Ronald Crane through code inspection. These include a high rated memory safety issue in the ANGLE graphics library, a moderate rated potential wild pointer flaw when handling zip files, and a critical rated integer overflow during metadata parsing in Mozilla's use of the libstagefright library.

No clear mechanisms to exploit the first two vulnerabilities through web content has been found as of yet, but Crane’s finding was given a Critical risk rating because the libstagefright issue. It could be triggered during the playback of a malicious MP4 format video file, allowing for arbitrary code execution – the bug resembles the Stagefright flaws found in Android last year, which are still being patched.

Firefox 44 also resolves a buffer overflow in WebGL after out of memory allocation, which was discovered by researcher Aki Helin and which could lead to a potentially exploitable crash. The updated browser also resolves various memory corruption issues that appear under certain circumstances and which could be exploited to run arbitrary code.

Mozilla also resolved errors in mp_div and mp_exptmod cryptographic functions in NSS, a flaw rated High, along with two addressbar spoofing attack vulnerabilities. Affecting the desktop browser, the first flaw allows for the addressbar contents to be manipulated, while the second affects Firefox for Android and would scroll the addressbar out of view and replace it with a fake one when a new tab is opened.

Starting with Firefox 44, Windows, Mac and Linux users can receive push notifications from websites that have permission to send these notifications. Mozilla says that these notifications would appear even if the website is not loaded in a tab, meaning that users no longer need to manually check email, weather, social networks and shopping sites for updates.

The push notifications are similar to Web notifications and users can enable them by clicking on the green lock icon on the left side of the address bar to enable them, or can head to the Control Center to manage notifications. Mozilla’s Dan Callahan explains that websites receive anonymous Web Push identifiers, payloads are encrypted, and the service is enabled only for active Web Push subscriptions, all of which should keep users’ privacy safe.

RelatedIn Memoriam: Goodbye to RC4, an Old Crypto Favorite

view counter