Firefox 26 blocks Java plugins by default
Posted on 11 December 2013.
Bookmark and Share
Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.


All Java plug-ins are defaulted to 'click to play', which is a welcome security addition.

Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: "When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page."

The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).

Here's a complete list of security fixes:
  • Mis-issued ANSSI/DCSSI certificate
  • JPEG information leak
  • GetElementIC typed array stubs can be generated outside observed typesets
  • Use-after-free in synthetic mouse movement
  • Trust settings for built-in roots ignored during EV certificate validation
  • Linux clipboard information disclosure though selection paste
  • Segmentation violation when replacing ordered list elements
  • Potential overflow in JavaScript binary search algorithms
  • Use-after-free during Table Editing
  • Use-after-free in event listeners
  • Sandbox restrictions not applied to nested object elements
  • Character encoding cross-origin XSS attack
  • Application Installation doorhanger persists on navigation
  • Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)





Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //