Six security advisories – three of which are deemed critical – were addressed in the Tuesday release of Firefox 32, which also comes with some new features, including public key pinning support that is enabled by default.
Public key pinning is an extension for HTTPS/SSL that lets the browser “know” the characteristics for the legitimate certificate of a site, Wolfgang Kandek, CTO at Qualys, told SCMagazine.com in a Wednesday email correspondence, explaining that an alert is raised when going to a site where the certificates do not match.
“This mechanism defends against man-in-the-middle (MitM) attacks in SSL,” Kandek said. “A typical MitM attack that can be detected with this technology would be an entity wanting to eavesdrop on SSL communication with a site.”
Public key pinning also reduces phishing attacks, Sid Stamm, senior engineering manager of security and privacy at Mozilla, told SCMagazine.com in a Wednesday email correspondence, adding Mozilla is continuously working to stop attackers from exploiting certificates that should never have been issued.
“This can happen for many reasons, including a [certificate authority (CA)] compromise, a CA violating our policies, or even mistakes in the issuance process,” Stamm said, going on to add, “Our main goal is to reduce risk present in the CA system, and pinning will help. It makes HTTPS connections safer by providing stronger assurance that the site you think you’re on is actually the right one.”
Public key pinning in Firefox 32 is limited to Mozilla and Twitter sites, but it will expand in Firefox 33 as Mozilla adds sites that are in the Google Chrome browser. Kandek said Google Chrome has had public key pinning for about three years now.
Three critical security advisories were addressed in Firefox 32, including a use-after-free setting text directionality, a use-after-free during DOM interactions with SVG, and miscellaneous memory safety hazards, according to a post.
Fixes were issued for high impact advisories regarding an uninitialized memory use during GIF rendering, and a profile directory file access through file: protocol that only affects Firefox for Android; a moderate impact out-of-bounds read in Web Audio audio timeline advisory was also addressed, the post indicates.
Altogether, eight individual vulnerabilities were fixed. Mozilla has posted an entire list of Firefox 32 release notes here.