Firefox 26 blocks Java plugins by default
Posted on 11 December 2013.
Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.

All Java plug-ins are defaulted to 'click to play', which is a welcome security addition.

Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: "When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page."

The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).

Here's a complete list of security fixes:
  • Mis-issued ANSSI/DCSSI certificate
  • JPEG information leak
  • GetElementIC typed array stubs can be generated outside observed typesets
  • Use-after-free in synthetic mouse movement
  • Trust settings for built-in roots ignored during EV certificate validation
  • Linux clipboard information disclosure though selection paste
  • Segmentation violation when replacing ordered list elements
  • Potential overflow in JavaScript binary search algorithms
  • Use-after-free during Table Editing
  • Use-after-free in event listeners
  • Sandbox restrictions not applied to nested object elements
  • Character encoding cross-origin XSS attack
  • Application Installation doorhanger persists on navigation
  • Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th