Firefox 18 has been released with plenty of fanfare. Mozilla promises this version is faster and more secure than what came before. I just downloaded it onto my laptop and it is faster -- slightly. As for the security features, let's look under the hood.
For starters, there are 21 security fixes:
--MFSA 2013-20: Mis-issued TURKTRUST certificates
--MFSA 2013-18: Use-after-free in Vibrate
--MFSA 2013-17: Use-after-free in ListenerManager
--MFSA 2013-16: Use-after-free in serializeToStream
--MFSA 2013-15: Privilege escalation through plugin objects
--MFSA 2013-14: Chrome Object Wrapper (COW) bypass through changing prototype
--MFSA 2013-13: Memory corruption in XBL with XML bindings containing SVG
--MFSA 2013-11: Address space layout leaked in XBL objects
--MFSA 2013-10: Event manipulation in plugin handler to bypass same-origin policy
--MFSA 2013-09: Compartment mismatch with quickstubs returned values
--MFSA 2013-08: AutoWrapperChanger fails to keep objects alive during garbage collection
--MFSA 2013-07: Crash due to handling of SSL on threads
--MFSA 2013-06: Touch events are shared across iframes
--MFSA 2013-05: Use-after-free when displaying table with many columns and column groups
--MFSA 2013-04: URL spoofing in addressbar during page loads
--MFSA 2013-03: Buffer Overflow in Canvas
--MFSA 2013-02: Use-after-free and buffer overflow issues found using Address Sanitizer
--MFSA 2013-01: Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
--MFSA 2012-98: Firefox installer DLL hijacking
Elsewhere, Sophos notes that the latest release officially deals with what it called the TURKTRUST SSL certificate blunder. "The code diff (the details of what was added to and removed from the source code itself, denoted by lines starting with plus and minus signs respectively) can be viewed online. You will notice that it removes TURKTRUST's most recently issued root certificate (issued in 2007 and valid until 2017) altogether," writes Naked Security's Paul Ducklin. "Presuambly, when the dust has settled on this incident, TURKTRUST will mint a new root certificate and persuade the Mozilla team to re-adopt it as a bestower of trust. Additionally, the two known wrongly-issued intermediate certificates that were generated by TURKTRUST back in 2011 are now recognized by Firefox and treated as explicitly distrusted. That means that any SSL certificates signed by those intermediate certificates simply won't work."
Mozilla said in its advisory on the matter, "The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates."
Other improvements include support for high-res retina screens in Apple's MacBook Pro notebooks on OS X Lion and Mountain Lion. This allows users to nix insecure content they come across on HTTPS-secured sites.
Will all these improvements encourage me to go back to using Firefox as my default browser (I currently use Google Chrome in that capacity)? I'll get back to you on that.