Updates and bug fixes the new version has brought a lot. A complete list of innovations in Firefox 44 is available here . If we briefly enumerate the most important changes will include:
- Extensions without a digital signature is not block. Commissioning of tougher measures to control addons postponed until April 2016 and the release of Firefox 46;
- Added support for Push API and, accordingly, Push-notifications;
- There was a data compression format support Brotli ;
- It presents a new tool to monitor the memory status;
- Warnings about problematic certificates remade, now they look more convincing;
- The browser now informs the user if the page containing the form input passwords, works over HTTP (and, hence, is not secure);
- On HTTPS-pages, supporting only the RC4 algorithm, the browser will warn too.
In addition, the release of Firefox 44 fixes 12 vulnerabilities, including three with a mark «critical» and two marked «high».
The first critical bug associated with the work ANGLE graphics library, processor zip-files and libstagefright library. If the last name seems familiar to you, it’s not surprising. The same library was the cause of the sensational vulnerability Stagefright , discovered in the Android operating system. Security Bulletin states that exploit a vulnerability in the library libstagefright possible by using malicious MP4-file that could allow an attacker to carry out the execution of arbitrary code in the browser.
The second critical bug is called a buffer overflow error in the WebGL , though this problem could only lead to a crash of the browser, but does not allow remote execution of arbitrary code.
The third and final problem that has received “critical” status, combining at once several vulnerabilities in the memory ofpropagating not only Firefox, but Mozilla and other products. According to the bulletin, some bugs, under certain conditions, could lead to violation of the integrity of information in memory. Developers believe that if an attacker would have shown sufficient diligence, through these gaps could implement arbitrary code execution. The bulletin noted separately that the exploitation of vulnerabilities is not possible through the Thunderbird mail client, since it is disabled by default scripting.
Also, two vulnerabilities have been corrected, a “high” threat level. One of the problems allows for spoofing attack through the address bar . The second error in the set of libraries Network Security Services weakened cryptography in your browser.
Other changes related to security, it is worth noting promised in September last year to stop supporting the RC4 cipher, as well as exclusion from the list of trusted 1024-bit root certificate certifying Equifax center.
