Simply Security - News, Views, and Opinions from Trend Micro

Posted on November 17th, 2011 in Current News, Privacy & Policy by Simply Security | Be the first to comment | Tags: Internet Safety

Firefox 8 includes an opt-in feature for third-party add-ons.

Mozilla this week announced the arrival of the latest version of its open-source Firefox web browser, which features one of the most significant security updates to the software to date. However, despite the improvement, new Twitter integration in the web browser may open users to data security challenges if they are not careful.

In recent months, Mozilla has adopted a new update strategy for the web browser. Rather than periodically launching a completely revamped version of the software every year or two, new releases are now much more frequent, arriving every few months with smaller fixes rather than sweeping overhauls.

This is a strategy also employed by Google and its Chrome web browser. The main goal of this process is to make new features available to software users more quickly. Mozilla, for its part, appears to be hooked on the six-week schedule, as it has released five new versions of Firefox since late March 2011.

The latest version, Firefox 8, was officially launched on Tuesday, but arrived a day ahead on Mozilla's FTP servers. With Firefox 8, Mozilla has fixed seven security vulnerabilities, as well as introduced a security feature that disables third-party add-ons by default. The new version also features deeper Twitter integration, which could potentially present data security issues.

Security fixes

Of the seven security fixes, four are considered critical and three are high priority. A critical vulnerability implies that attacker code can be run and software installed without the user knowing or necessarily doing anything out of the ordinary. Meanwhile, a high-priority vulnerability is one that can be used to steal data from sites that the user visits or inject code – also without the user engaging in browsing activities out of the ordinary.

One of the high-priority flaws pertains only to Mac users, and Mozilla insisted that it was more a flaw with the Mac OS X hardware than Firefox itself.

"This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware, and the problem can be seen in WebGL implementations from other vendors," said Mozilla's Claus Wahlers in an advisory, adding that Firefox 8 includes a "word-around" to avoid any issues.

Add-on management

This is perhaps the most notable update to the software. The feature was actually introduced in the beta version of the web browser but gets its official debut in Firefox 8. Essentially, Firefox 8 gives users the choice to opt-in to a third-party add-on.

"Sometimes you download third-party software and are surprised to discover that an add-on has also installed itself in your browser without asking permission," the company said in a blog post. "At Mozilla, we think you should be in control, so we are disabling add-ons installed by third parties without your permission and letting you pick the ones you want to keep."

This should not only improve the web browser's performance, it should provide some additional security as well. Though the large majority of third-party add-ons are harmless, the vetting process for such applications tends to be less strict, meaning the likelihood of vulnerabilities is greater. Allowing them to opt in to an application rather than opt out should provide some peace of mind to Firefox users as they will have more control over what goes on in their web browser.

Twitter integration

The other highlight of the Firefox 8 update is the addition of Twitter into the browser's search bar. Previous versions of Firefox included Google, Yahoo and other search options, but this is the first time a social network has been introduced to the mix.

"Twitter is now included as a search option in Firefox for Windows, Mac and Linux," the company said. "Twitter search in Firefox makes it easier to discover new topics, #hashtags and @usernames."

The idea is to make it easier to search and browse Twitter posts, which in and of itself is not a data security threat. However, users be careful to avoid engaging in any activity that may put their data in harm's way.

The nature of Twitter – which is often anonymous and frequently includes links to external sources – presents several security concerns. A user may unknowingly or accidentally click a link that leads to a malicious website or downloads a virus.

This is not inherently Mozilla's responsibility, but it is something that Firefox users should be aware of. A 2010 Barracuda Labs study found that the Twitter crime rate – that is, the number of suspended accounts – grew 20 percent compared to the previous year. Moreover, Twitter accounted for 8 percent of the malware uncovered during the study. With this in mind, Firefox 8 users should employ a degree of caution when using the newly added feature.

Challenges still ahead

While it is evident that Mozilla has made a significant effort to improve the safety of its Firefox users, there is still work to be done. Some of this falls on Mozilla's shoulders, some on the users.

For example, Mozilla might take a page out of Google's book, as the Chrome browser has the ability to identify certain malicious or suspicious websites and warn the user before proceeding. Mozilla could apply this to malicious Twitter posts, stopping a user before he or she wanders to a website from a suspect link.

For the user, it is important to stay up to date with the latest security offerings. Given Mozilla's new rapid-fire update schedule, many users may be inclined to skip a version of the web browser. However, Firefox 8 clearly makes progress in terms of security and could prove beneficial to a user's data protection. Additionally, other action, such as installing antivirus software or using data encryption, can further bolster security efforts.

Data Security News from SimplySecurity.com by Trend Micro