Mozilla has released a new version of Firefox which fixes 22 security leaks including the so-called Logjam attack. The browser will from now on also check downloads of Mac and Linux users for malware. Of the 22 vulnerabilities, 13 have been marked as critical, which means an attacker can fully take over the computer if an users with a vulnerable Firefox version visits a hacked or malicious website, according to the release notes of Firefox 39.
Although Mozilla reports 13 vulnerabilities, some updates appear to resolve several leaks at once and therefore less updates have been released.
One of the updates fixes the Logjam attack. The Logjam attack allows an attacker, who is in the middle between a victim and the internet, to downgrade vulnerable TLS connections to a 512 bit encryption. This allows an attacker to decrypt or change all data that passes the encrypted connection. The issue has now been resolved in Firefox 39.
Another issue only affected Mac users. Crash reports of the OS X version of Firefox sometimes contained personal information. The reports contained the key that caused the crash, but sometimes also keystrokes were added to the report. Also a problem with the built-in PDF reader of Firefox has been resolved. Through the vulnerability random code could be executed.
A new feature in Firefox is the addition of the Google Safe Browsing Technology that checks all downloaded files on malware. As soon as an user downloads an executable file the digital signature is checked. If the file is signed then Firefox compares the signature with a list of known safe publishers. Based on the list the feature is able to determine whether a file is safe or malware.
In case Firefox is not able to identify the file, the browser will ask the Google Safe Browsing service whether the software is safe. In order to achieve this, metadata of the download is sent to Google. The measure is by default enabled for Mac OS X and Linux users.
Updating to Firefox 39 can be performed through the automatic update feature of the browser or on Mozilla.org.
Many of the issues in Firefox also affect Thunderbird. Mozilla has therefore also announced Thunderbird 38.1. However, this version is not available for download yet. It was scheduled for the end of this week but nevertheless Thunderbird 38.1 hasn’t been released yet. This means that users of the email client are potentially at risk as information about the vulnerabilities has already been disclosed.