Firefox 7 Released – Includes updates for Security, not SSL (BEAST)
Firefox 7 isn't just about speed, there's also a long list of security patches. Surprisingly, a fix for the SSL BEAST attack is not one of them.
Mozilla is patching it's Firefox Web browser for at least 10 vulnerabilities, seven of which are rated as being "critical." Firefox 7 was released on Tuesday offering users the promised of improved performance and better memory usage.
On the security front, the Firefox 7 release provides a critical fix for what Mozilla describes as, "Miscellaneous memory safety hazards."
"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products,"
Mozilla stated in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."
There is also a critical fix for an interesting flaw that could have been triggered by having a user hold down the 'Enter' key. By holding
down the key, code could potentially be installed without a user's knowledge.
"Mariusz Mlynski reported that if you could convince a user to hold down the Enter key — as part of a game or test, perhaps — a malicious
page could pop up a download dialog where the held key would then activate the default Open action," Mozilla warned.
Other critical flaws that are fixed in Firefox 7 include potentially exploitable crashes in WebGL graphics and the YARR regular expression
library. Firefox 7 also provides a fix for a high impact flaw where cross-site scripting (XSS) could have been enabled via plugins.
There is also a fix in Firefox 7 for a flaw rated as "moderate" that is triggered by the motion of a device. Mozilla's advisory noted that a recent research paper detailed how it would be possible to inferring keystrokes from device motion data on mobile devices.
"Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk," Mozilla warned. "We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher
keystrokes the user is entering into the foreground tab."
While Firefox 7 addresses multiple security issues, it is not taking specific aim at the recent disclosure of potential SSL vulnerabilities. Overall, Mozilla has publicly noted that they do not believe Firefox to currently be at risk from the SSL BEAST attack
Firefox released 7.0.1
http://www.mozilla.org/en-US/firefox/7.0.1/releasenotes/
Firefox 7.0.1 for Windows | 13.4 MB (Freeware)