Firefox 22 enables WebRTC, makes social APIs easier to manage

logo-onlyBetaNews: Mozilla has released Firefox 22.0 FINAL for Windows, Mac and Linux. The update includes some platform-specific improvements — Firefox following display scaling options in Windows, and providing download progress indicators in its dock application icon in OS X — plus a number of other tweaks and improvements.

Other new features include the ability for users to now manage their social API plug-ins via the Add-ons menu (select Services in the left-hand menu to do so), while users can now adjust the playback rate of HTML5 audio and video files (right-click the playback screen and choose Play Speed to do so).

One major behind-the-scenes update is that WebRTC — the technology used for sharing audio/video streaming and data sharing between browser clients — is now fully enabled by default in Firefox. This is achieved by enabling the two remaining components, PeerConnection and DataChannels, the latter of which can be used to reduce latency in real-time gaming by allowing gaming apps to connect peer-to-peer between devices.

Another new feature is the enabling of asm.js optimizations (codenamed OdinMonkey), which Mozilla promises will see major performance improvements. Other performance tweaks include asynchronous canvas updates that will improve WebGL rendering, better memory usage and shorter display times when rendering images.

Other changes include plain text files being displayed with word wrap within the Firefox window and support for using the Pointer Lock API outside of full-screen view. Developers gain access to a new built-in font inspector, plus CSS3 Flexbox as well as a new Web Notifications API have both been implemented. HTML5 support has also been extended to support the new <date> and <time> elements.

Firefox 22.0 FINAL is available now as a free, open-source download for Windows, Mac and Linux.

firefox-22

Firefox 16 re-released fixing multiple vulnerabilities

Mozilla_Firefox_cracked_bandaid_120The H-Online: The latest version of Firefox, version 16, has returned to Mozilla’s servers with the release of Firefox 16.0.1 after the discovery of vulnerabilities caused the organization to remove the just-released open source web browser from circulation. Mozilla’s security blog post described the problem as just that of a malicious web site being able to potentially determine the URLs and parameters used and suggested downgrading to Firefox 15.0.1, despite the numerous critical bugs fixed in Firefox 16.

But on Wednesday, Gareth Heyes, an independent security researcher, posted a proof of concept (PoC) which demonstrated that Firefox 16 was somewhat insecure with its Windows location variables, allowing an attacker to open a window pointing at some part of another site (in the PoC, twitter.com), wait for that site to redirect the window to a “logged in” page (a twitter.com profile page) and then retrieve the new location and any associated data (in the PoC, the user’s twitter handle). Accessing the location information should normally be prevented by the browser’s “Same Origin” policy.

According to Mozilla’s advisory though, a similar but separate critical flaw had been found in Firefox 16, Firefox ESR 10.0.8, SeaMonkey 2.13, Thunderbird 16 and Thunderbird ESR 10.0.8 and earlier, which not only disclosed the location object, but, in Firefox 15 and earlier, had the potential for arbitrary code execution. Firefox 16.0.1 closes both these holes. The presence of the flaw in Firefox 15 does, though, raise questions over the previous advice given by Mozilla to downgrade from 16 to 15.

But these were not the only holes fixed in 16.0.1; another security advisory says developers also identified two of the top crashing bugs in the browser engine and that these bugs showed signs of having corrupted memory. Mozilla concludes that it could be possible to exploit these holes to execute code. One of the bugs only affected FreeType on mobile devices and is therefore fixed in Firefox 16.0.1 for Android, while the other is a WebSockets bug in Firefox 16 only and is not present in Firefox ESR.

Firefox 16.0.1 is now being pushed out to the Firefox browser’s auto update system and is also available to download via auto-version-detected download or from the all systems and languages page. Firefox 16.0.1 for Android is available in the Google Play store. Thunderbird 16.0.1 is also available for download. Firefox ESR 10.0.9 and Thunderbird ESR 10.0.9 are currently being quality assured and are expected to be released soon. SeaMonkey 2.13.1 has yet to appear on the project’s releases page.

http://h-online.com/-1728382

Mozilla closes numerous critical holes in Firefox 16 [Update]

moztrioThe h-online: Following the recent Firefox 16 release, Mozilla has now detailed all of the security fixes in the new version of its open source web browser as well as in the Thunderbird news and email client. Version 2.13 of the SeaMonkey “all-in-one internet application suite” has also received fixes. In addition to adding new features, version 16.0 of Firefox closes a total of 14 security holes, 11 of which are rated as “Critical” by the project.

These critical vulnerabilities include several memory handling and corruption issues, buffer overflows and the possibility of arbitrary code execution through bypassing security checks for the cross-origin properties. Another vulnerability could lead to JavaScript crashing the browser when using an invalid cast with the instance of operator.

According to Mozilla, many of these vulnerabilities could be exploited remotely by an attacker to, for example, execute malicious code on a victim’s system.

Additionally, the desktop Firefox update corrects three high-risk vulnerabilities including a spoofing and script injection bug, and cross-site scripting (XSS) problems. The majority of these same vulnerabilities have been addressed in version 10.0.8 of Mozilla’s “enterprise” Extended Support Releases (ESR) of Firefox ESR and Thunderbird ESR. The developers have also fixed a critical issue in Reader Mode on Firefox for Android.

As they are all based on the same Gecko platform as Firefox, Thunderbird 16 (which has not been released yet) and the 2.13 release of SeaMonkey also close a number of the same security holes. However, Mozilla notes that many of the flaws “cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products”.

Further information about the security holes closed by these updates, including a full list of fixes, can be found in Mozilla’s security advisories. Firefox 16.0 (release notes), Firefox ESR 10.0.8 (release notes), Thunderbird 10.0.8 ESR (release notes) and SeaMonkey 2.13 (release notes) can be downloaded for Windows, Mac OS X and Linux from the project’s site – at the time of writing, Mozilla has yet to release Thunderbird 16. Existing users can upgrade to the new versions, either by waiting for the automated update notification or by manually checking for updates.

Update 12-10-12: Following the discovery of a privacy-related security hole, Mozilla has released version 16.0.1 of both Firefox and Thunderbird to address the problem along with other critical vulnerabilities discovered after the 16.0 releases. The organization advises all users to upgrade as soon as possible. Updates for the ESR versions of Thunderbird and Firefox are currently undergoing quality assurance testing and should be available soon. An update to SeaMonkey, version 2.13.1, is also expected, but has yet to be released at the time of writing.

http://h-online.com/-1726884

Download Firefox 15 and Thunderbird 15!

Cross-copied from BetaNews:

Firefox-15

Mozilla has quietly placed major new versions of its open-source, cross-platform web browser and email client onto its download servers ahead of an official release.

Firefox 15 FINAL benefits largely from behind-the-scenes performance tweaks, while Thunderbird 15 FINAL introduces a few new features, including a new curvy user interface.

Firefox 15 FINAL’s most notable changes are performance-based. There’s faster startup on Windows PCs, plus incremental garbage collection and better management of plugins to prevent memory leaks. Other performance improvements surround WebGL enhancements.

Version 15 also introduces a new Maintenance Service for Windows users that’s installed by default, and which ensures all future Firefox updates are delivered promptly. This feature can be toggled on and off via the Options dialog — select Advanced and switch to the Updates tab.

Developers get a new JavaScript debugger and new Responsive Design View option that allows them to toggle between mobile and desktop views of websites. An additional layout view providing details about the size and shape of an element is now accessible from the Inspector; click the Style button to see the dimensions of the currently selected element, then click the up arrow to reveal more details.

One feature that didn’t make it through to the final release is the inline PDF browser — although present in Firefox 15 Beta, it appears its appearance has slipped back to version 16. Neither can we confirm the existence of Mac accessibility improvements — one thing is certain, however, VoiceOver support is not yet available outside of the Nightly builds.

Those users willing to delve into the about:config portion of Firefox will find they can now toggle between showing Firefox’s options in a separate dialog box (the default) and in its own tab in the main Firefox window. Search for browser.preferences.inContent and double-click it to set it to true to enable the feature.

Similarly, the option for setting plugin content on websites to “click to play” still hasn’t been implemented by default; instead users should search for plugins.click_to_play and double-click it to switch it on.

Thunderbird Updates

Thunderbird 15 FINAL meanwhile has three major changes of note. The most obvious is the implementation of a new user interface called Australis. This introduces itself immediately with the rounded tabs at the top of the screen, but extends to redesigned lines, a repositioned toolbar and categorized filters.

The unified global search now covers the chat module, which supports Facebook, Twitter and Google Talk among others, while the “Do not track” option introduced in Firefox has been added to Thunderbird too. This option, accessible from the Web Content tab in the Security section of Thunderbird’s Options screen, is of less relevance to email users, but may stop some emails from tracking the user if they’ve signed up for the voluntary code of practice.

From November 12, Thunderbird’s code base will be split into two separate editions: Thunderbird and Thunderbird ESR. See here for details.

Both Firefox 15 FINAL and Thunderbird 15 FINAL are free, open-source downloads for Windows, Mac and Linux.

Firefox 17 to make add-ons more secure

logo-onlyh-Online: As suggested by some of its developers back in 2010, the Firefox browser will introduce enhanced separation between add-ons and the rest of the browser. With the change, which is planned to take effect with the release of Firefox 17, scripts on web pages will only be able to access the data belonging to add-ons if they are included in a whitelist.

The beta version of Firefox 15 already logs warning messages in the browser’s Error Console when a page that is not on the whitelist tries to access data from add-ons. This behavior has been included to make add-on developers aware of the new policy and to give them time to fix their add-on’s behavior before the release of Firefox 17.

In the current versions of Firefox, entire add-on objects can be shared by adding them tocontentWindow.wrappedJSObject which allows scripts on web sites to access all data belonging to these objects through the window.sharedObject variable. With Firefox 17, add-on developers are required to explicitly mark attributes with the __exposedProps__property which acts as a whitelist for objects that Firefox will share. Possible values for this property allow read-only access, write-only access and read and write access.

Web site code will not have to be modified. The change also does not affect add-ons that are passing numbers, booleans or strings from the add-on to the web page; only actual add-on objects are affected.

Mozilla recommends that add-on developers thoroughly test their code in the Firefox 15 beta, keeping an eye out for errors in the Error Console. Afterwards, they should test with a nightly release version of Firefox 17 and see whether their add-ons break. Add-ons developed with Firefox’s Add-on SDK should be automatically compatible after updating to the latest release of the SDK, but Mozilla recommends that developers test them after updating nonetheless.

http://h-online.com/-1672626

Firefox “new tab” feature tweaked following privacy concerns

logo-onlyh-online: Mozilla has implemented changes to Firefox 14 that address concerns raised by privacy-conscious users over the “new tab” feature in Firefox 13. The Firefox developers have changed the browser’s behavior so that sensitive information should no longer leak via screenshots of web sites.

When opening a new tab, Firefox 13 shows users a grid of screenshots of their most visited pages. After this feature was introduced, several users complained to Mozilla and pointed out that the feature also takes screenshots of sensitive web sites such as login pages for online banking sites.

In Firefox 14 – released on Tuesday – Mozilla has implemented several tweaks to the “new tab” feature. Connections established over a secured HTTPS link are now excluded from being captured by the screenshot feature. Similarly, if the browser encounters a “Cache-Control: no-store” header, the page in question will also never be captured.

ff14-disable-thumbnails Click to see full-size

In addition to this, users can manually delete the stored screenshots by ticking the option “Browsing & Download History” from the “Clear Recent History” link in Firefox’s Privacy settings. This data can be automatically deleted whenever Firefox is shut down. If users prefer to completely disable the thumbnail feature instead, they can now open Firefox’s advanced options by entering about:config in the address bar of the browser and creating a new preference named browser.pagethumbnails.capturing_disabled which they will have to set to true.

The “new tab” feature is still controversial, however. The feature’s review by the Firefox Privacy Team has not yet been concluded and still lists the issue as “at risk: needs resolutions”. Additionally, there are still users who do not consider that the original bug has been fixed to their satisfaction.

http://h-online.com/-1647976

Firefox, Thunderbird, Panda and more updates

Mozilla Firefox: Mozilla has released a new update for Firefox, Mozilla Firefox 14.0.1, This version comes with Google Secure search by default, flat buttons in toolbar and some Performance improvement and security fixes. Read more in Mozilla Blog.

Firefox1401

Mozilla Thunderbird: Mozilla also updated Thunderbird, Mozilla Thunderbird 14, This version mostly focus on stability, performance and security fixes. I think we cannot expect much more new feature in Thunderbird anymore, Mozilla has announced that they changed the way they develop Thunderbird, Read it yourself in Mozilla Blog.

thunderbird

Mozilla SeaMonkey: SeaMonkey updated to 2.11, This version is common update for Security, stability and performance update. Release note is available in SeaMonkey Project website.

79164355539025135019

Panda Cloud Antivirus: This is a major update to Panda Cloud Antivirus, Panda Cloud Antivirus 2.0.0, In this version you will see a community based firewall (pro version only) and now behavioral analyze engine is available for free users, offline protection is improved and much more, Read more about that in Panda Cloud Antivirus Blog.

download_panda_cloud_antivirus

More Updates: System Internals updated it’s suite, Process Explorer 15.22, Handle 3.5, Process Monitor 3.03, RAMMap 1.21, ZoomIt 4.3. Find what’s new in TechNet Blog.

Adobe updates Flash Player 11.3 to fix Firefox crashing problem

Flash_Logo_b_200Adobe has released an updated version of its proprietary Flash Player 11.3 plugin to address a bug that caused Firefox 13 on Windows to crash for some users. The problem is believed to have been related to the recently introduced Protected Mode for the Windows version of Flash Player and the open source web browser; the new mode is designed to isolate the plugin from the rest of the system by running it in its own sandbox.

Following initial reports of the problem from users, Mozilla issued an update for Firefox, version 13.0.1, to fix the problem. However, some users continued to experience crashing issues when viewing Flash content with Protected Mode enabled. The new 11.3.300.262 release of the Flash Player plugin should now resolve this. According to the release notes, there is, however, a known issue that causes audio distortion when streaming some Flash content.

Existing users with the built-in background updater for Windows enabled should automatically be upgraded to the new release. Alternatively, Flash Player 11.3.300.262 is available to download from get.adobe.com/flashplayer/.

http://h-online.com/-1623783

Firefox WebSocket bug compromises Tor anonymity

The current versions of the Tor Browser Bundle (TBB) include a bug that makes it possible for information about visited web sites to leak out of the anonymising layer. On version 2.2.35-9 of TBB for Windows and version 2.2.35-10 for Mac OS X and Linux, the included version of Firefox does not send DNS requests over the Tor network if the browser is using the WebSocket protocol. This means that an attacker listening in on the connection will be able to identify the servers the user is visiting.

ff-disable-websockets

The only workaround for the problem currently is to completely disable the use of WebSocket in the browser. Users can do this by accessing Firefox’s advanced configuration options by entering about:config in the address bar and changing the network.websocket.enabled option to “false”.

The Tor developers are currently working on a fix for the security hole and will be releasing a new TBB version soon. More information on the issue can be found in the bug report on the Tor project’s issue tracking system.