Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.
All Java plug-ins are defaulted to ‘click to play’, which is a welcome security addition.
Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: “When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page.”
The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).
Here’s a complete list of security fixes:
- Mis-issued ANSSI/DCSSI certificate
- JPEG information leak
- GetElementIC typed array stubs can be generated outside observed typesets
- Use-after-free in synthetic mouse movement
- Trust settings for built-in roots ignored during EV certificate validation
- Linux clipboard information disclosure though selection paste
- Segmentation violation when replacing ordered list elements
- Use-after-free during Table Editing
- Use-after-free in event listeners
- Sandbox restrictions not applied to nested object elements
- Character encoding cross-origin XSS attack
- Application Installation doorhanger persists on navigation
- Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)