Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Fixes Vulnerabilities, Disables SSL 3.0 in Firefox 34

Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

“SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information,” Mozilla said in October.

Google also intends to disable SSL 3.0 in Chrome with the release of version 40 of the Web browser. In the meantime, the search engine company has disabled fallback to SSL 3.0 to protect users.

With the release of Firefox 34, Mozilla has addressed a total of eight vulnerabilities, three of which have been rated as “critical,” which indicates that an attacker can leverage them to execute arbitrary code without user interaction beyond normal browsing.   

One of the critical flaws, discovered by Abhishek Arya (Inferno) of the Google Chrome Security Team, has been described as a buffer overflow during the parsing of media content (CVE-2014-1593). Berend-Jan Wever has identified a use-after-free bug caused by triggering the creation of a second root element while parsing HTML written to a document created with the “document.open()” function (CVE-2014-1592). Both these critical issues could lead to a potentially exploitable crash.

Various memory safety bugs reported by several researchers (CVE-2014-1588, CVE-2014-1587) are also considered critical and have been addressed.

An interesting high-impact issue was reported to Mozilla by security researcher Kent Howard, who found that the CoreGraphics framework in Apple’s OS X 10.10 (Yosemite) creates log files containing a record of all data, including usernames and passwords, entered into Mozilla programs during their operation (CVE-2014-1595).

“This issue has been addressed in Mozilla products by explicitly turning off the framework’s logging of input events,” Mozilla explained in an advisory.

Advertisement. Scroll to continue reading.

Potentially exploitable behavior (CVE-2014-1594) has been reported by Byoungyoung Lee, Chengyu Song, and Taesoo Kim from the Georgia Tech Information Security Center (GTISC). Another high-impact issue has been discovered by security researcher Muneaki Nishimura. The bug (CVE-2014-1591) affects Content Security Policy (CSP) and it could be leveraged by a malicious website to obtain sensitive information such as usernames and single-sing-on tokens.

The medium-impact vulnerabilities fixed with the release of Firefox 34 have been described as “XMLHttpRequest crashes with some input streams,” and “XBL bindings accessible via improper CSS declarations.”

In addition to security-related fixes, Firefox 34 brings a few noteworthy changes in functionality. Mozilla has introduced Firefox Hello, a WebRTC feature allowing users to make voice and video calls without the need to install any applications or plugins.

The company has dropped Google as its default search engine. In the United States, Google has been replaced with Yahoo, while in Belarusian, Kazakhstan, and Russia the new default search engine is Yandex.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.