Firefox 34 disables SSL 3.0 in new version

Firefox 34 disables SSL 3.0 and tackles eight security fixes

Firefox 34, the latest version of the Mozilla's popular web browser has disabled support for SSL 3.0 in reaction to the POODLE exploit, reported by We Live Security back in October.

Firefox 34, the latest version of the Mozilla’s popular web browser has disabled support for SSL 3.0 in reaction to the POODLE exploit, reported by We Live Security back in October.

Firefox 34, the latest version of the Mozilla’s popular web browser has disabled support for SSL 3.0 in reaction to the POODLE exploit, reported by We Live Security back in October.

The fix means that Firefox users will no longer be vulnerable to POODLE, an exploit found by Google researchers in October that would allow hackers to intercept plaintext data from secure connections, reports Tech Week Europe.

Speaking to SC Magazine, Chad Weiner, director of product management for Firefox said “We have dropped support for SSLv3 entirely, which will protect more users from its inherent vulnerabilities. We’re putting users’ safety online first, and trying to aggressively push the Web towards more secure alternatives (i.e. TLS 1.1 and later.)”

In all, Firefox 34 fixes eight security issues, three of which are described as critical. The first was a bug discovered by Abhishek Arya of the Google Chrome Security Team, who found a buffer overflow vulnerability when media is parsed. The second is a ‘use-after-free vulnerability’ which is “created by triggering the creation of a second root element while parsing HTML written to a document created with document.open( ),”. The final critical fix deals with a number of memory safety bugs, which “showed evidence of memory corruption under certain circumstances”, which could be potentially exploited.

Other less significant security fixes in Firefox 34 include an OSX bug where private data could be saved to a local log file, and another flaw that could allow malicious websites to obtain sensitive data.

Firefox 34  is also notable for dropping Google as its default search engine. Engadget reports that Yahoo is now the default search provider in the United States, Yandex in Russia, and Baidu in China.

Lucian Milasan / Shutterstock.com

Discussion