Web browser developers always make it a point to update their software to new-and-improved versions, removing vulnerabilities so users can have a smooth experience while using the browser.
The idea is to reduce if not eliminate browser crashes and, at the same time, protect the security of users’ data from hackers.
In an effort to do the same, Mozilla just issued fresh patches to remove bugs in the company’s popular web browser, Firefox.
The latest version, Firefox 55, has taken care of 29 such vulnerabilities.
Some were categorized as ‘Critical’ and others as less critical, but marked ‘High,’ ‘Moderate’ and even ‘Low.’ Each of these patches is issued a number to identify which bug is being taken care of by which patch.
The Three Most Critical Vulnerabilities
The most important vulnerabilities fixed by Mozilla in the Firefox 55 browser relates to the XUL or XML user interface language and the source code embedded in the browser’s style developer tool.
This was one of the vulnerabilities detected by a German engineer and had the bug been allowed to exist, users could fall into the trap of opening any malicious page or mail attachment and suffer a code execution vulnerability.
The number given for this patch is CVE-2017-7798.
The other two critical vulnerabilities are use-after-free in nature and can result in the browser crashing.
To prevent this, the two new patches, CVE-2017-7800 and 7801 have been released by Mozilla.
One of them has to do with Web Sockets and the other with window resizing using the marquee tool.
In both cases, if the object is freed before disconnection or while still in use could potentially cause a crash of the browser, exposing the vulnerability.
The Next Set of Vulnerabilities Fixed in Firefox 55
There were at least 11 patches carrying the ‘High’ label, according to Mozilla, and these bugs had to be fixed.
They relate to different functionalities and most of them had been reported by an expert.
Some of them are, again, the use-after-free variety and of the buffer overflow types as well.
One bug considered highly vulnerable related to same origin bypass with iframes.
Mozilla’s explanatory notes, attached to each of these patches to fix the vulnerabilities, give a brief idea of how the bug could have led to a crash and expose the user to security flaws, or how an external attacker could exploit the weakness and cause the browser to crash.
There is even a Windows only vulnerability fixed through the Firefox 55 release.
It’s described as a memory protection bypass through ‘WindowsDllDetourPatcher,’ which is capable of bypassing the current memory protection settings and avoiding an attack through the browser.
The remaining patches among the 29 listed address bugs rated to be moderate and low in terms of their vulnerabilities.
However, there are two more in the ‘Critical’ category that solved the memory safety bugs fixed in the browser.
Users Must Download the New Version
Firefox has not yet enabled automatic updates to transition from Firefox version 54 to 55, so users may have to manually go in for a download to take advantage of the latest updates.
Eventually, the browser updates will definitely carry out on your system, and sooner rather than later.
However, some people have to tendency to ‘disable’ automatic updates and prefer to do it manually.
You may want to check your settings and allow for automatic updates after you have downloaded the latest Firefox 55 version.
Changes in the Way ‘Flash’ Runs on the Browser
Yet another change that must be mentioned here, though one may not consider it as a browser update, relates to the animation plugin, ‘Flash.’
As is known, Adobe has already made an announcement that Flash won’t be available after 2020.
There have been many complaints about the security environment within Flash and many users have suffered due to the vulnerabilities in this plugin tool in the past.
Firefox has already gotten rid of almost all other plugins already in earlier versions and with this new Firefox 55, it intends to make it a ‘click-to-activate’ plugin.
It appears there is a clear roadmap laid down as well to phase out the plugin, and this could happen over the next couple of months.
After some period, the browser will decline requests for activating Flash on its browser completely.