The newest scheduled Firefox replace is out, bringing the favored various browser to model 101.0.
This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so earlier than it, with none hassle attributable to the shift from a two-digit to a three-digit model quantity.
Early in 2022, as each Chromium and Firefox co-incidentally approached their centuries at about the identical time, it regarded as if not less than a couple of mainstream web sites have been extracting model numbers for each merchandise incorrectly.
Some websites, it appeared, have been looking out the browsers’ Consumer-Agent
textual content strings for patterns that have been hard-wired to extract simply two digits’ value of model info.
As you’ll be able to think about, folding three digits into two offers you an error a bit just like the millennium bug, with 100
turning both into 10
or into 00
, relying on which finish you prune.
Each 0 and 10 signify model numbers from a time gone, thus incorrectly flagging a brand-new browser as a recklessly outdated one, which some websites refused to simply accept.
Little doubt partly because of the efforts of each Google’s Chromium and Mozilla’s Firefox coders (who mixed to establish ill-behaved web sites, and even ready emergency “escape mechanisms” whereby their respesective browsers would proceed calling themselves 99.one thing
when visiting ill-programmed internet servers), the 100.0 launch of each browsers was finally uneventful…
…however Firefox adopted its common 100.0 launch with an emergency 100.0.1 launch, which turned on a model new Home windows safety function that hadn’t fairly made the minimize in 100.0.
We questioned why this new function, which had been a very long time within the brewing and wasn’t designed to repair a particular, known-to-be-exploitable safety vulnerability, hadn’t merely been saved up and launch as a brand new function within the scheduled 101.0 model.
However the truth that it was simply a few days earlier than the infamous Pwn2Own hacking competitors, the place contestants are introduced with bang-up-to-date computer systems on which to strive their assaults, led us to imagine (or not less than to guess) that Mozilla figured that it was value getting out an official launch with further anti-hacking safety, simply in case.
Finally, nonetheless, Firefox was hacked, in a gloriously well-prepared double-exploit assault that took simply seven seconds to interrupt into the browser after which break again out of its protecting shell for a full sandbox escape.
To its credit score, Mozilla then launched 100.0.2 inside 48 hours, with fixes for each of those newly-disclosed bugs.
Much less drama this time
We don’t doubt, subsequently, that the considerably much less dramatic launch of 101.0, with no zero-day safety holes mounted, and no patches deemed Important, can have been one thing of a reduction to the Mozilla crew.
In case you’re questioning, this was certainly the second full launch of Firefox within the month of Might 2022, which is Mozilla’s equal of a blue moon. (The moon doesn’t truly flip blue – that’s simply the nickname used when there’s a second full moon squeezed into one calendar month).
That is attributable to the truth that Firefox updates are scheduled for each fourth Tuesday, which is as soon as each 28 days, somewhat than for a particular Tuesday in every month, which is as soon as in about each 30.5 days.
Though not one of the bugs mounted on this launch are Important, there are quite a few Excessive-category fixes, plus a handful of Average ones, together with
- CVE-2022-31737: Heap buffer overflow in WebGL. A malicious webpage with booby-trapped graphics might triggered a reminiscence buffer overflow, sometimes resulting in a crash, or maybe even to distant code execution.
- CVE-2022-31738: Browser window spoof utilizing fullscreen mode. Internet pages aren’t supposed to have the ability to show content material exterior the confines of their very own show space, thus leaving the browser itself with full management of vital person interface parts such because the tackle bar and navigation buttons. An online web page that would trick the browser into writing to the mistaken a part of the display might bypass this “sanctity of show” safety.
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded recordsdata. Whenever you specify a filename on Home windows, some characters aren’t at all times handled actually. For instance, a filename of
%HOMEPATH%
doesn’t essentially get saved beneath that letter-for-letter filename. Until you “escape” these p.c indicators to point out they’re meant actually, the particular marker%HOMEPATH%
is rewritten and changed with the precise title of your property listing. Likewise,%WINDIR%
denotes the place Home windows is put in, no matter what listing was chosen at setup time. Packages that settle for filenames from untrusted sources subsequently have to take care to “escape” p.c indicators in order that they imply precisely what they are saying (a%
character), as an alternative of sneakily triggering an rewrite that would misdirect a file from one listing into one other. - CVE-2022-31743: HTML Parsing incorrectly ended HTML feedback prematurely. Something between a gap textual content string of
<!--
and a closing-->
is handled as an HTML remark, and is skipped when the file is definitely used. Misrecognising the top of a remark might result in an in any other case innocent-looking web page together with content material that wasn’t supposed to seem, or to a script ingredient executing despite the fact that it was purported to be ignored. - CVE-2022-1919: Reminiscence Corruption when manipulating webp photos. This bug was primarily the alternative of a use-after-free, which is the place a program arms again a block of reminiscence so it may be used elsewhere in this system, however carries on writing to it anyway. This bug was what you may name a free-without-use, the place Firefox tried to “return” reminiscence it hadn’t been given within the first place. This might result in a crash, or maybe even to distant code execution.
In addition to these particular bugs, Mozilla additionally introduced CVE-2022-31747 and CVE-2022-31748, vulnerability numbers designating a spread of common reminiscence mismanagement bugs discovered by the Firefox crew and its automated bug-hunting instruments.
These bugs weren’t examined intimately to see which of them might truly be exploited, however have been assumed to be doubtlessly exploitable and stuck anyway.
The primary of those, CVE-2022-31747, denotes bugs mounted in each the 101.0 launch and the Prolonged Assist Launch 91.10 (notice that 91+10 = 101).
This means that these bugs have been in Firefox’s codebase because the 91 launch and even earlier, provided that ESR 91.10 consists of the Firefox 91.0 code with all interim safety fixes utilized, however no new options added.
The latter designator, CVE-2022-31748, denotes bugs mounted in 101.0 solely, and is an effective reminder that new options do are inclined to convey new bugs, and helps clarify why Mozilla maintains its ESR product department.
The ESR flavour of Firefox is standard with community sysadmins who’re keen to attend for brand spanking new options, however not on the expense of operating software program that’s outdated from a safety perspective.
What to do?
As common, go to Assist > About Firefox to test should you’re updated, and to drive an replace if it seems you aren’t.
(Linux/Unix customers could have to check with their distro for updates in the event that they initially put in Firefox by way of a distro-managed bundle somewhat than by downloading Mozilla’s personal installer.)