Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.
“SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information,” Mozilla said in October.
Google also intends to disable SSL 3.0 in Chrome with the release of version 40 of the Web browser. In the meantime, the search engine company has disabled fallback to SSL 3.0 to protect users.
With the release of Firefox 34, Mozilla has addressed a total of eight vulnerabilities, three of which have been rated as “critical,” which indicates that an attacker can leverage them to execute arbitrary code without user interaction beyond normal browsing.
One of the critical flaws, discovered by Abhishek Arya (Inferno) of the Google Chrome Security Team, has been described as a buffer overflow during the parsing of media content (CVE-2014-1593). Berend-Jan Wever has identified a use-after-free bug caused by triggering the creation of a second root element while parsing HTML written to a document created with the “document.open()” function (CVE-2014-1592). Both these critical issues could lead to a potentially exploitable crash.
Various memory safety bugs reported by several researchers (CVE-2014-1588, CVE-2014-1587) are also considered critical and have been addressed.
An interesting high-impact issue was reported to Mozilla by security researcher Kent Howard, who found that the CoreGraphics framework in Apple’s OS X 10.10 (Yosemite) creates log files containing a record of all data, including usernames and passwords, entered into Mozilla programs during their operation (CVE-2014-1595).
“This issue has been addressed in Mozilla products by explicitly turning off the framework’s logging of input events,” Mozilla explained in an advisory.
Potentially exploitable behavior (CVE-2014-1594) has been reported by Byoungyoung Lee, Chengyu Song, and Taesoo Kim from the Georgia Tech Information Security Center (GTISC). Another high-impact issue has been discovered by security researcher Muneaki Nishimura. The bug (CVE-2014-1591) affects Content Security Policy (CSP) and it could be leveraged by a malicious website to obtain sensitive information such as usernames and single-sing-on tokens.
The medium-impact vulnerabilities fixed with the release of Firefox 34 have been described as “XMLHttpRequest crashes with some input streams,” and “XBL bindings accessible via improper CSS declarations.”
In addition to security-related fixes, Firefox 34 brings a few noteworthy changes in functionality. Mozilla has introduced Firefox Hello, a WebRTC feature allowing users to make voice and video calls without the need to install any applications or plugins.
The company has dropped Google as its default search engine. In the United States, Google has been replaced with Yahoo, while in Belarusian, Kazakhstan, and Russia the new default search engine is Yandex.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
Latest News
- Malicious NPM, PyPI Packages Stealing User Information
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
- Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
- Boxx Insurance Raises $14.4 Million in Series B Funding
