The latest stable version of the world’s second most popular browser includes 16 security fixes: six rated ‘critical’ (potential for remote exploitation); 9 rated ‘high’ (require no more than normal browsing activities); and one rated ‘moderate’ (requires user intervention). Full details of these can be found on the Mozilla security advisories page. In total, around 2300 bugs are fixed with this version.
A major new security feature in this version is the ‘click-to-play blocklist’ feature. Old, outdated and vulnerable browser add-ins are a primary route for cyber attacks. Now Firefox will automatically disable outdated or vulnerable plug-ins. A small plug-in icon appears to the left of the Firefox Awesome Bar. Clicking this will deliver a pop-up saying which plug-ins have beed disabled and offering the user the option to look for updates, or reactivate regardless.
“Click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity,” announced Mozilla when the feature was introduced into the beta program. Like everything else, however, it is not a defense against social engineering. “At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system.”
The major non-security enhancement to Firefox 17 is the addition of a Social API. At the moment, Facebook Messenger is the only service included – but anyone can use the API. “Navigating to the Facebook for Firefox page while running Firefox 17 and clicking the Turn On button will enable a persistent sidebar in your Firefox window that shows you your Facebook chat list as well as your outstanding notifications,” notes Ars Technica. “Pop-up notifications will also appear in the lower-right corner of your screen.”
Finally, it is worth noting that Firefox no longer supports OSX 10.5 (Leopard) for Mac – thought to be about 10% of all Mac users. Leopard users are now stuck in the past since Apple has also abandoned them. “If you've still got Leopard systems to worry about - at least, if you look after systems that are stuck on 10.5 because Apple itself disowned them, meaning you can't upgrade OS X, let alone your applications - then you might as well jump ship,” suggests Paul Ducklin in the Sophos NakedSecurity blog. “I'm trying to say,” he adds, “just switch to some sort of Linux without using the L-word.”