Patch/Configuration Management, Vulnerability Management

Critical bugs fixed in Firefox 34, SSL 3.0 support disabled

While one of the bigger changes in the Monday release of Firefox 34 is Yahoo! becoming the default search engine for North America, Mozilla also provided fixes for vulnerabilities – a few of which are deemed critical – and additionally disabled support for SSL 3.0.

Abhishek Arya of the Google Chrome Security Team is credited with identifying a critical buffer overflow vulnerability during the parsing of media content, according to an advisory, which adds that the bug can lead to a potentially exploitable crash.

Security researcher Berend-Jan Wever is credited with reporting a critical use-after-free vulnerability “created by triggering the creation of a second root element while parsing HTML written to a document created with document.open( ),” according to another release, which also adds that the bug can lead to a potentially exploitable crash.

A third advisory indicates that fixes were issued for several critical memory safety bugs in the browser engine used by Firefox, as well as other Mozilla-based products. The advisory notes that the vulnerabilities “showed evidence of memory corruption under certain circumstances,” and could possibly be exploited to run arbitrary code.

The other vulnerabilities addressed in Firefox 34 were deemed high impact or moderate impact, and include a bug that could result in private data being saved to a log file on local OS X systems, and a flaw that could be exploited by a malicious website to obtain sensitive information such as usernames.

Disabling support for SSL 3.0 will address POODLE, a severe vulnerability in SSL 3.0 that was discovered by Google researchers in October and could enable an attacker to intercept plaintext data from secure connections.

“We have dropped support for SSLv3 entirely, which will protect more users from its inherent vulnerabilities,” Chad Weiner, director of product management for Firefox, told SCMagazine.com in a Tuesday email correspondence. “We're putting users' safety online first, and trying to aggressively push the Web towards more secure alternatives (i.e. TLS 1.1 and later.).”

Fallback to SSL 3.0 was removed in Chrome 39 when the Google browser was promoted to the stable channel in November, as indicated in a tweet by Adam Langley, senior staff software engineer at Google. Langley wrote in October that SSL 3.0 would be disabled completely in Chrome 40.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.