Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Firefox 46 Tackles Security Issues, Improves Performance

Firefox 46 Tackles Security Issues, Improves Performance

Mozilla has released Firefox 46, fixing critical vulnerabilities and including improved security of the JavaScript JIT Compiler.

Most significant in 46 are fixes for security and performance improvements. Out of 10 vulnerabilities fixed, one was critical, four high impact, and the remaining six ranked moderate.

The critical issue relates to what Mozilla describe as Miscellaneous memory safety hazards, with bugs showing evidence "of memory corruption under certain circumstances," that the team say "with enough effort" could potentially have been exploited to run arbitrary code.

Among the high impact issues were vulnerabilities in Firefox for Android where, using orientation data and motion sensors on a mobile device, an attacker could infer touch actions. Mozilla report that, left unfixed, this could have compromised user privacy and potentially revealed "entered PIN code data along with other user activities."

New in this release is an important update to the JavaScript Just In Time (JIT) Compiler. In the blog post W^X JIT-code enabled in Firefox Mozilla software engineer Jan de Mooij says

Almost all JITs (including the ones in Firefox until now) allocate memory pages for code with RWX (read-write-execute) permissions. JITs typically need to patch code (for inline caches, for instance) and with writable memory they can do that with no performance overhead.

However, de Mooij says that with this comes with problems with both memory corruption and security, with RWX pages making it easier to exploit bugs. In Firefox 46, JIT-code pages are now non-writable by default.

Commenting on the change, de Mooij admitted W^X was not "perfect" or "a silver bullet to stop all exploits," but stood firm that it makes "certain exploits harder...only a few (relatively short) code paths have access to RW code, and only for a very short time window."

Mozilla has also fixed in Firefox 46 numerous issues with WebRTC, to improve both stability and performance for users.

For Firefox users on Android, the 46 release brings a haul of new updates. Among these are notifications for tabs opened in the background now listing the URLs, the introduction of default domains for auto-completion, and Firefox now requesting permissions at runtime. Firefox 46 removes support on Android for Honeycomb, as well as removing support for Firefox Sync 1.1, in favor of Firefox Accounts.

For Linux/GNU users, Firefox 46 comes with long-awaited GTK3 integration for GNOME and other desktops.

The 46 release includes for developers a new view for the Memory tool, called Dominators.

dominatorsDescribed as "useful for understanding the 'retained size' of objects allocated by your site," the Dominators tree shows which nodes are retaining the most memory.

This gives information on "the retained size of the node, as bytes and as a percentage of the total", "the shallow size of the node, as bytes and as a percentage of the total," and "the nodes's name and address in memory."

In Firefox 47 the Retaining Paths panel shows the 5 shortest retaining paths for a single node, making it possible to see all the nodes that are keeping the given node from being garbage-collected. Retaining paths makes it possible to see which objects are holding a reference to an object being leaked.

A full list of changes in version 46 is available in the release notes.

Mozilla welcome newcomers who want to be part of the Firefox project, and there are many ways that InfoQ readers can contribute to Firefox. A full list of options is available on the Mozilla Developer Network where Mozilla also publish a number of How To guides

Rate this Article