vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

An anonymous reader writes: Firefox's privacy mode stops your computer from keeping track of where you've browsed, but it doesn't do anything about external tracking. A new feature just rolled out to the Developer Edition and the Aurora channel now actively tries to block online services from tracking you. "Our hypothesis is that when you open a Private Browsing window in Firefox you're sending a signal that you want more control over your privacy than current private browsing experiences actually provide." The feature uses a blocklist maintained by Disconnect.me to stop you from navigating to sites known to log your personal data.

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.

An anonymous reader writes: Mozilla today launched Firefox 40 for Windows, Mac, Linux, and Android. Notable additions to the browser include official Windows 10 support, added protection against unwanted software downloads, and new navigational gestures on Android. Firefox 40 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Changelogs are here: desktop and Android.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

Kohenkatz writes: Matchstick, a project built on FirefoxOS that aimed to compete with Google's Chromecast, which was initially funded on Kickstarter, is shutting down and will be refunding all pledges. In a post to Kickstarter backers today, they announced that this decision was due to the difficulty of implementing the DRM components that are necessary for access to a lot of paid content. Rather than drag out the project on an unknown schedule, they have decided to end the project.

puddingebola writes: Mozilla CEO Chris Beard has sent an open letter to Microsoft CEO Satya Nadella complaining about the default settings in Windows 10. Users who upgrade to 10 will have their default browser automatically changed to the new Edge browser. Beard said, "We appreciate that it’s still technically possible to preserve people’s previous settings and defaults, but the design of the whole upgrade experience and the default settings APIs have been changed to make this less obvious and more difficult. It now takes more than twice the number of mouse clicks, scrolling through content and some technical sophistication for people to reassert the choices they had previously made in earlier versions of Windows. It’s confusing, hard to navigate and easy to get lost. ... We strongly urge you to reconsider your business tactic here and again respect people’s right to choice and control of their online experience by making it easier, more obvious and intuitive for people to maintain the choices they have already made through the upgrade experience.

An anonymous reader writes: Mozilla is working on identifying Firefox tabs that are currently playing audio. The feature will show an icon if a tab is making sounds and let the user mute the playback. It's worth noting that while Chrome has had audio indicators for more than a year now, it still doesn't let you easily mute tabs. The option is available in Google's browser, but it's not enabled by default (you have to turn on the #enable-tab-audio-muting flag in chrome://flags/).

Trailrunner7 writes with news that "Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox." Two flaws that came to light from the recent document dump from Hacking Team could be used by an attacker to gain remote code execution. From Threatpost's article: One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash. Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there's a module for it in the Metasploit Framework, as well. Reader Mickeycaskill adds a link to TechWeek Europe's article, which says these are the 37th and 38th flaws found in Flash so far this month, and that the development "is a blow for Flash after Alex Stamos, Facebook's new chief security officer, urged Adobe to set an 'end of life' date for the much-maligned software."

An anonymous reader writes: Mozilla is reexamining and revamping the way it builds, communicates, and decides features for its browser. In short, big changes are coming to Firefox. Dave Camp, Firefox's director of engineering, sent out two lengthy emails, just three minutes apart: Three Pillars and Revisiting how we build Firefox. Both offer a lot more detail into what Mozilla is hoping to achieve.

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.

An anonymous reader writes: Software developer Nolan Lawson says Apple's Safari has taken the place of Microsoft's Internet Explorer as the major browser that lags behind all the others. This comes shortly after the Edge Conference, where major players in web technologies got together to discuss the state of the industry and what's ahead. Lawson says Mozilla, Google, Opera, and Microsoft were all in attendance and willing to talk — but not Apple.

"It's hard to get insight into why Apple is behaving this way. They never send anyone to web conferences, their Surfin' Safari blog is a shadow of its former self, and nobody knows what the next version of Safari will contain until that year's WWDC. In a sense, Apple is like Santa Claus, descending yearly to give us some much-anticipated presents, with no forewarning about which of our wishes he'll grant this year. And frankly, the presents have been getting smaller and smaller lately."

He argues, "At this point, we in the web community need to come to terms with the fact that Safari has become the new IE. Microsoft is repentant these days, Google is pushing the web as far as it can go, and Mozilla is still being Mozilla. Apple is really the one singer in that barbershop quartet hitting all the sour notes, and it's time we start talking about it openly instead of tiptoeing around it like we're going to hurt somebody's feelings."

New submitter Josiah Daniels writes with this kernel from a much more detailed article at Ars Technica about what already looks like a very important initiative: WebAssembly is a new project being worked on by people from Mozilla, Microsoft, Google, and Apple, to produce a bytecode for the Web. WebAssembly, or wasm for short, is intended to be a portable bytecode that will be efficient for browsers to download and load, providing a more efficient target for compilers than plain JavaScript or even asm.js

An anonymous reader writes: Let's Encrypt, the project that hopes to increase the use of encryption across websites by issuing free digital certificates, is planning to issue the first ones next month. Backed by the EFF, the Mozilla Foundation, the Linux Foundation, Akamai, IdenTrust, Automattic, and Cisco, Let's Encrypt will provide free-of-charge SSL and TSL certificates to any webmaster interested in implementing HTTPS for their products. The Stack reports: "Let's Encrypt's root certificate will be cross-signed by IdenTrust, a public key CA owned by smartphone government ID card provider HID Global. Website operators are generally hesitant to use SSL/TLS certificates due to their cost. An extended validation (EV) SSL certificates can cost up to $1,000. It is also a complication for operators to set up encryption for larger web services. Let's Encrypt aims to remove these obstacles by eliminating the related costs and automating the entire process."

An anonymous reader writes: Last week, Mozilla updated Firefox to add Pocket integration — software that lets you save web articles to read later. Over the weekend, some Firefox users began to voice their displeasure over the move on public forums like Bugzilla, Google Groups, and Hacker News. The complaints center around Pocket being a proprietary third-party service, which already exists as an add-on, and is not a required component for a browser. Integrating Pocket directly into Firefox means it cannot be removed, only disabled. In response, Mozilla has released a statement saying users like the integration and the integration code is open source.

An anonymous reader writes: Mozilla's VR research team is hard at work making virtual reality native to the web. The group wants more than a few experimental VR-only websites, they want responsive VR websites that can adapt seamlessly between VR and non-VR, from mobile to desktop, built with HTML and CSS . Experimental work is already underway, and now the team says that they 'aim to have support for the WebVR API shipping with our release channel builds of Firefox Desktop by end of this year.' Those with the Oculus Rift developer kit can already try out a few native WebVR experiences using Firefox Nightly.

An anonymous reader writes: I've been using Google Chrome almost exclusively for more than 3 years. I stopped using Mozilla Firefox because it was becoming bloated and slow, and I migrated all my bookmarks etc. to Chrome. Now Chrome plans to end NPAPI support — which means that I will not be able to access any sites that use Java, and I need this for work. I tried going back to Firefox for a couple of days but it still seems slow — starting it takes time, even the time taken to load a page seems more than Chrome. So what are my options now? Export all my bookmarks and go back to Mozilla Firefox and just learn to live with the performance drop? Or can I tweak Firefox performance in any way? FWIW, I am on a Windows 7 machine at work.

An anonymous reader writes: When Mozilla developed Firefox OS, its goal was not to provide the best smartphone experience, but to provide a "good enough" smartphone experience for a very low price. Unfortunately, these cheap handsets failed to make a dent in the overall smartphone market, and the organization is now shifting its strategy to start producing a better experience for better devices. CEO Chris Beard said, "If you are going to try to play in that world, you need to offer something that is so valuable that people are willing to give up access to the broader ecosystem. In the mass market, that's basically impossible." Of course, when moving to the midrange smartphone market, or even the high end, there's still plenty of competition, so the new strategy may not work any better. However, they've hinted at plans to start supporting Android apps, which could help them play catch-up. Beard seems fixated on this new goal: "We won't allow ourselves to be distracted, and we won't expand to new segments until significant traction is demonstrated." He adds, "We will build products that feel like Mozilla."

An anonymous reader writes: Former Mozilla software engineer Monica Chew and Computer Science researcher Georgios Kontaxis recently released a paper (PDF) that examines Firefox's optional Tracking Protection feature. The duo found that with Tracking Protection enabled, the Alexa top 200 news sites saw a 67.5 percent reduction in the number of HTTP cookies set. Furthermore, performance benefits included a 44 percent median reduction in page load time and 39 percent reduction in data usage.

An anonymous reader writes: Mozilla has announced plans to launch a feature called "Suggested Tiles," which will provide sponsored recommendations to visit certain websites when other websites show up in the user's new tab page. The tiles will begin to show up for beta channel users next week, and the company is asking for feedback. For testing purposes, users will only see Suggested Tiles "promoting Firefox for Android, Firefox Marketplace, and other Mozilla causes." It's not yet known what websites will show up on the tiles when the feature launches later this summer. The company says, "With Suggested Tiles, we want to show the world that it is possible to do relevant advertising and content recommendations while still respecting users’ privacy and giving them control over their data."