Mozilla officials say they'll release a Firefox update that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser. The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory.
From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities.Read more
Adobe’s Flash technology is on its way out of the Firefox internet browser. In August, Mozilla Corp., maker of the browser, will begin defaulting to HTML 5 instead of Flash for video, online animations, games and other rich media.
If users run into a website where there is no non-Flash option available, Firefox will still render that site in Flash. But next year, Firefox will ask for permission before it renders any sites in Flash or Microsoft Corp.’s Silverlight, a rich-media technology similar to Flash. Web browser plugins, such as Flash and Silverlight, “often introduce stability, performance, and security issues for browsers,” said Benjamin Smedberg, a manager of Firefox quality engineering, in a blog post.Read more
Mozilla engineers have revealed that their bug tracking application was compromised, and an unknown attacker had used a privileged account which had access to sensitive information about unpatched Firefox vulnerabilities.
According to the foundation's security disclosure, they confirmed the attacker had access to the bug tracker since September 2014, but they suspect access goes back even further, to September 2013. Mozilla security experts blame this incident on one of its users that had reused the bug tracker's password on another site, which was later hacked. The company's bug tracker, which is named Bugzilla and is also available as open source, is the instrument which the foundation uses to track problems with its software.Read more