Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Fixes Vulnerabilities, Disables SSL 3.0 in Firefox 34

Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

Mozilla released Firefox 34 on Monday and, as it promised in October, the company disabled Secure Sockets Layer (SSL) 3.0 support to protect users against Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

“SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information,” Mozilla said in October.

Google also intends to disable SSL 3.0 in Chrome with the release of version 40 of the Web browser. In the meantime, the search engine company has disabled fallback to SSL 3.0 to protect users.

With the release of Firefox 34, Mozilla has addressed a total of eight vulnerabilities, three of which have been rated as “critical,” which indicates that an attacker can leverage them to execute arbitrary code without user interaction beyond normal browsing.   

One of the critical flaws, discovered by Abhishek Arya (Inferno) of the Google Chrome Security Team, has been described as a buffer overflow during the parsing of media content (CVE-2014-1593). Berend-Jan Wever has identified a use-after-free bug caused by triggering the creation of a second root element while parsing HTML written to a document created with the “” function (CVE-2014-1592). Both these critical issues could lead to a potentially exploitable crash.

Various memory safety bugs reported by several researchers (CVE-2014-1588, CVE-2014-1587) are also considered critical and have been addressed.

An interesting high-impact issue was reported to Mozilla by security researcher Kent Howard, who found that the CoreGraphics framework in Apple’s OS X 10.10 (Yosemite) creates log files containing a record of all data, including usernames and passwords, entered into Mozilla programs during their operation (CVE-2014-1595).

“This issue has been addressed in Mozilla products by explicitly turning off the framework’s logging of input events,” Mozilla explained in an advisory.

Potentially exploitable behavior (CVE-2014-1594) has been reported by Byoungyoung Lee, Chengyu Song, and Taesoo Kim from the Georgia Tech Information Security Center (GTISC). Another high-impact issue has been discovered by security researcher Muneaki Nishimura. The bug (CVE-2014-1591) affects Content Security Policy (CSP) and it could be leveraged by a malicious website to obtain sensitive information such as usernames and single-sing-on tokens.

The medium-impact vulnerabilities fixed with the release of Firefox 34 have been described as “XMLHttpRequest crashes with some input streams,” and “XBL bindings accessible via improper CSS declarations.”

In addition to security-related fixes, Firefox 34 brings a few noteworthy changes in functionality. Mozilla has introduced Firefox Hello, a WebRTC feature allowing users to make voice and video calls without the need to install any applications or plugins.

The company has dropped Google as its default search engine. In the United States, Google has been replaced with Yahoo, while in Belarusian, Kazakhstan, and Russia the new default search engine is Yandex.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.