Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Firefox 44 Drops RC4, Gets Push Notifications

Firefox 44, the latest version of Mozilla’s web browser, is now available for download and comes with a series of security patches, and has fully removed support for the RC4 cipher.

Firefox 44, the latest version of Mozilla’s web browser, is now available for download and comes with a series of security patches, and has fully removed support for the RC4 cipher.

Released on Tuesday, the latest iteration of the application is meant to resolve various vulnerabilities, including five that are rated Critical, three rated High, six Moderate, and one low risk issue. It also brings new features to Windows, Mac and Linux machines, the most notable of which is support for push notifications from websites.

In addition to resolving security flaws, the browser improves security by no longer trusting the Equifax Secure Certificate Authority 1024-bit root certificate or the UTN – DATACorp SGC for certificate validation, the release notes reveal. It also uses a SHA-256 signing certificate for Windows builds, to meet new signing requirements, and also removes support for the old and vulnerable RC4 cipher.

RC4 has been around since 1987 and has been widely used in web applications and online services, but vulnerabilities in it were found to allow attackers easily crack it. Last year, researchers discovered both new attacks against RC4 and the fact that such attacks are increasingly practical and feasible, and browser makers decided to kill support for it.

Given that Mozilla has completely removed support for RC4 in Firefox 44, users will no longer be able to connect to servers that require the encryption cipher. Many sites still offer support for RC4, as F5 Networks evangelist David Holmes explained in a November 2015 SecurityWeek column, but Mozilla says that “Firefox users encounter them at very low rates.”

Mozilla’s Firefox 44 security advisory reveals that the browser patches three unsafe memory manipulation flaws discovered by researcher Ronald Crane through code inspection. These include a high rated memory safety issue in the ANGLE graphics library, a moderate rated potential wild pointer flaw when handling zip files, and a critical rated integer overflow during metadata parsing in Mozilla’s use of the libstagefright library.

No clear mechanisms to exploit the first two vulnerabilities through web content has been found as of yet, but Crane’s finding was given a Critical risk rating because the libstagefright issue. It could be triggered during the playback of a malicious MP4 format video file, allowing for arbitrary code execution – the bug resembles the Stagefright flaws found in Android last year, which are still being patched.

Firefox 44 also resolves a buffer overflow in WebGL after out of memory allocation, which was discovered by researcher Aki Helin and which could lead to a potentially exploitable crash. The updated browser also resolves various memory corruption issues that appear under certain circumstances and which could be exploited to run arbitrary code.

Advertisement. Scroll to continue reading.

Mozilla also resolved errors in mp_div and mp_exptmod cryptographic functions in NSS, a flaw rated High, along with two addressbar spoofing attack vulnerabilities. Affecting the desktop browser, the first flaw allows for the addressbar contents to be manipulated, while the second affects Firefox for Android and would scroll the addressbar out of view and replace it with a fake one when a new tab is opened.

Starting with Firefox 44, Windows, Mac and Linux users can receive push notifications from websites that have permission to send these notifications. Mozilla says that these notifications would appear even if the website is not loaded in a tab, meaning that users no longer need to manually check email, weather, social networks and shopping sites for updates.

The push notifications are similar to Web notifications and users can enable them by clicking on the green lock icon on the left side of the address bar to enable them, or can head to the Control Center to manage notifications. Mozilla’s Dan Callahan explains that websites receive anonymous Web Push identifiers, payloads are encrypted, and the service is enabled only for active Web Push subscriptions, all of which should keep users’ privacy safe.

RelatedIn Memoriam: Goodbye to RC4, an Old Crypto Favorite

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.