Last week, Mozilla released Firefox 23 for Mac OS X, which included 13 fixes for known vulnerabilities (4 Critical, 7 High, 1 Moderate, 1 Low), and comes bundled with a new security feature called the Mixed Content Blocker. Among the critical issues resolved in this update were several memory safety bugs that, presumably, with enough effort could be exploited to run arbitrary code. All of the critical bugs fixed in Firefox 23 could cause a potentially exploitable crash.
Multiple cross-site scripting (XSS) issues were fixed with Firefox 23. For instance, this update fixed a problem with an interaction of frames and browser history that made it possible for the browser to believe “attacker-supplied content came from the location of a previous page in browser history,” a high vulnerability that allows for cross-site scripting (XSS) attacks. For all versions of Firefox before 23, the vulnerabilities identified as “high” can be used to gather sensitive data from other sites that a user is visiting or inject data or code into those sites.
Following is a complete list of the security issues resolved in the Firefox 23 update:
Mozilla’s Firefox 23 also brings Mixed Content Blocking, an interesting new security feature that will try to prevent man-in-the-middle attacks and protect users from eavesdroppers on HTTPS pages. The Mozilla blog provided additional information about the new feature, including the following:
When an HTTPS page contains HTTP resources, the HTTP resources are called Mixed Content. […] Firefox will block certain types of Mixed Content by default, providing a per-page option for users to “Disable Protection” and override the blocking.
You can click through to the Mozilla blog for further details about how the browser will inform users about a potential security threat.
Users can update their software to the latest version on your Mac by using the browser’s internal updater (go to Firefox > About Firefox > Check for Updates). You can also head over to Mozilla’s download page to get Firefox 23 on your Mac.
