Although the new version ‘fixes’ more than 2000 individual bugs, the vulnerability fixes are not generally as remarkable as the general user experience improvements – even though this is the largest number of security fixes in a single update since Firefox switched to the rapid release model. One stands out: the potential exposure of users’ confidential information within the new tab feature that was introduced in Firefox 13.
Sophos analyzed the problem back in June. When the user clicks the ‘new tab’, thumbnails of previously visited pages are displayed. The problem is that those thumbnails could expose sensitive information from HTTPS pages. At the time, Sophos wasn’t certain whether it was a bug in Firefox or a “bug in our attitude to retaining browser data between sessions.” Either way, the problem is resolved in the latest version.
The new version also closes several memory-related bugs that could be used remotely to execute arbitrary code. Other improvements revolve around the user experience. For example, future updates will be more seamless: they will be performed silently in the background while the browser is still in use. HTML5 support and add-on memory usage are also improved.
In a separate blog announcement yesterday, Firefox described two current developments, including a fix for the latest Java exploit. In the future, by default, “vulnerable versions of Java will be disabled for our Firefox users,” it says. And starting this week in Aurora and Beta “we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins.” The latter is expected to be fully operational in Firefox 18.