STE WILLIAMS

A brief reminder for Firefox users: version 25 is out.

As usual, there are some new and tweaked features, plus a fair number of security fixes.

And, as usual, Mozilla recommends your immediate attention to the update, if you’re one of those who prefers to be alerted to updates first rather than having them automatically applied:

It is strongly recommended that you apply this update for Firefox as soon as possible.

If you aren’t already using Firefox you can get a copy of the latest version from the downloads page.

There are actually four updated software versions in the Mozilla stable that have received the security patches from the latest upgrade:

• Firefox 24.0 goes to 25.0.
• Firefox 24.0ESR (Extended Support Release) goes to 24.1ESR
• Firefox 17.0.9ESR goes to 17.0.10ESR.
• Thunderbird goes to 24.1.

The Seamonkey application suite is also listed as getting the fixes, moving to 2.22, but it looks as though Seamonkey users may have to wait, as the official download page [at 2013-10-30T05:45Z] still offers 2.21.

Tor Browser users will also need to keep their eye on the progress of updates, as the Firefox ESR version that ships in the Tor Browser Bundle is still at 17.0.9.

Five of the security advisories are marked in red, meaning they’re critical, and can therefore possibly, or even probably, be used for implanting malware via Remote Code Execution (RCE).

All of the critical fixes involve memory mismanagement errors such as use-after-free bugs: if you’re interested in the potential implications of this sort of programming flaw, you might want to check out our Anatomy of an IE Exploit series.

There are two official changes listed for Firefox 25, and both caught my eye, as they have to do with the Firefox Reset feature:

Resetting Firefox is a not-very-well-known option you can try when websites stop working properly, perhaps because of accumulated state information about your browsing so far. (So much for HTTP being a so-called stateless protocol where each request stands entirely on its own.)

If you browse to the URL about:support, you’ll see the reset option:

As the change list reminds us quite clearly, a Firefox reset doesn’t set you back to a state of total browsing innocence, and in Firefox 25, it seems that slightly less than before is deleted from the browser’s store of information.

In particular, the reset function no longer forces an end to any current browser sessions, meaning that it leaves behind a fair amount of data about your current browser state.

Do bear this in mind, especially if you also use Safari, where the Reset option can be used to remove all browser data, effectively logging you out, removing all tracking cookies, and more.

The equivalent option in Firefox isn’t Reset, but rather Clear All History, which you reach from the History|Clear Recent History menu option.

Now grab the update, and shield yourself from any potential attacks that might be found against those use-after-free bugs!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TLRFDHlAcWM/