New security features in Firefox 18

A look at what Mozilla did to make Firefox 18 more ironclad than previous versions.

Firefox 18 has been released with plenty of fanfare. Mozilla promises this version is faster and more secure than what came before. I just downloaded it onto my laptop and it is faster -- slightly. As for the security features, let's look under the hood.

For starters, there are 21 security fixes:

--MFSA 2013-20: Mis-issued TURKTRUST certificates

--MFSA 2013-19: Use-after-free in Javascript Proxy objects

--MFSA 2013-18: Use-after-free in Vibrate

--MFSA 2013-17: Use-after-free in ListenerManager

--MFSA 2013-16: Use-after-free in serializeToStream

--MFSA 2013-15: Privilege escalation through plugin objects

--MFSA 2013-14: Chrome Object Wrapper (COW) bypass through changing prototype

--MFSA 2013-13: Memory corruption in XBL with XML bindings containing SVG

--MFSA 2013-12: Buffer overflow in Javascript string concatenation

--MFSA 2013-11: Address space layout leaked in XBL objects

--MFSA 2013-10: Event manipulation in plugin handler to bypass same-origin policy

--MFSA 2013-09: Compartment mismatch with quickstubs returned values

--MFSA 2013-08: AutoWrapperChanger fails to keep objects alive during garbage collection

--MFSA 2013-07: Crash due to handling of SSL on threads

--MFSA 2013-06: Touch events are shared across iframes

--MFSA 2013-05: Use-after-free when displaying table with many columns and column groups

--MFSA 2013-04: URL spoofing in addressbar during page loads

--MFSA 2013-03: Buffer Overflow in Canvas

--MFSA 2013-02: Use-after-free and buffer overflow issues found using Address Sanitizer

--MFSA 2013-01: Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

--MFSA 2012-98: Firefox installer DLL hijacking

The actual number of vulnerabilities fixed is staggering. Sophos put the count at 2,917 in its Naked Security blog.

The big security improvement in Firefox 18 is a new JavaScript engine, known as IonMonkey. Here's how Mozilla describes it:

IonMonkey is a huge step forward for our JavaScript performance and our compiler architecture. But also, it’s been a highly focused, year-long project on behalf of the IonMonkey team, and we’re super excited to see it land.

SpiderMonkey has a storied history of just-in-time compilers. Throughout all of them, however, we’ve been missing a key component you’d find in typical production compilers, like for Java or C++. The old TraceMonkey*, and newer JägerMonkey, both had a fairly direct translation from JavaScript to machine code. There was no middle step. There was no way for the compilers to take a step back, look at the translation results, and optimize them further.

IonMonkey provides a brand new architecture that allows us to do just that. It essentially has three steps: Translate JavaScript to an intermediate representation (IR). Run various algorithms to optimize the IR. Translate the final IR to machine code.

Elsewhere, Sophos notes that the latest release officially deals with what it called the TURKTRUST SSL certificate blunder. "The code diff (the details of what was added to and removed from the source code itself, denoted by lines starting with plus and minus signs respectively) can be viewed online. You will notice that it removes TURKTRUST's most recently issued root certificate (issued in 2007 and valid until 2017) altogether," writes Naked Security's Paul Ducklin. "Presuambly, when the dust has settled on this incident, TURKTRUST will mint a new root certificate and persuade the Mozilla team to re-adopt it as a bestower of trust. Additionally, the two known wrongly-issued intermediate certificates that were generated by TURKTRUST back in 2011 are now recognized by Firefox and treated as explicitly distrusted. That means that any SSL certificates signed by those intermediate certificates simply won't work."

Mozilla said in its advisory on the matter, "The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates."

Other improvements include support for high-res retina screens in Apple's MacBook Pro notebooks on OS X Lion and Mountain Lion. This allows users to nix insecure content they come across on HTTPS-secured sites.

Will all these improvements encourage me to go back to using Firefox as my default browser (I currently use Google Chrome in that capacity)? I'll get back to you on that.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.