This month’s scheduled Firefox launch is out, with the brand new 102.0 model patching 19 CVE-numbered bugs.
Regardless of the massive variety of CVEs, the patches don’t embrace any bugs already being exploited within the wild (identified within the jargon as zero-days), and don’t embrace any bugs labelled Essential.
Maybe essentially the most vital patch is the one for CVE-2022-34479, entitled: A popup window could possibly be resized in a option to overlay the handle bar with internet content material.
This bug permits a malicious web site to create a popup window after which resize it to overwrite the browser’s personal handle bar.
Happily, this handle bar spoofing bug solely applies to Firefox on Linux; on different working methods, the bug apparently can’t be triggered.
As you already know, the browser’s personal visible elements, together with the menu bar, search bar, handle bar, safety alerts, HTTPS padlock icon and extra, are speculated to be shielded from manipulation by untrusted internet pages rendered by the browser.
These sacrosanct consumer interface elements are identified within the jargon as chrome (from which Google’s browser will get its identify, in case you have been questioning).
Browser chrome is off-limits to internet pages for apparent causes – to forestall bogus web sites from misrepresenting themselves as reliable.
Which means although phishing websites typically reproduce the look-and-feel of a reliable web site with uncanny precision, they aren’t supposed to have the ability to trick your browser into presenting them as in the event that they have been downloaded from a real URL.
Aspect-by-side view of a latest rip-off concentrating on a South African financial institution
Picture-based RCEs
Intriguingly, this month’s fixes consists of two CVES which have the identical bug title, and that let the identical safety misbehaviour, although they’re in any other case unrelated and have been discovered by totally different bug-hunters.
CVE-2022-34482 and CVE-2022-34482 are each headlined: Drag and drop of malicious picture may have led to malicious executable and potential code execution.
Because the bug identify suggests, these flaws imply that a picture file that you simply save to your desktop by dragging-and dropping it from Firefox may find yourself saved to disk with an extension equivalent to .EXE as an alternative of with the extra harmless extension you have been anticipating, equivalent to .PNG or .JPG.
Provided that Home windows annoyingly (and wrongly, in our opinion), doesn’t present you file extensions by default, these Firefox bugs may result in you to belief the file you simply dropped onto your desktop, and due to this fact to open it with out ever being conscious of its true filename.
(When you save the file by extra conventional means equivalent to Proper click on > Save Picture As…, the total filename, full with extension, is revealed.)
These bugs aren’t true distant code execution (RCE) vulnerabilities, provided that an attacker wants to steer you to avoid wasting content material from an internet web page onto your laptop after which to open it up from there, however they do make it more likely that you’d launch a malicious file by mistake.
As an apart, we strongly suggest that you simply inform Home windows to point out all file extensions, as an alternative of secretly suppressing them, by altering the File identify extensions possibility in File Explorer.
Fixes for Follina!
Final month’s Massive Dangerous Home windows Bug was Follina, correctly often known as CVE-2022-30190.
Follina was a nasty code execution exploit whereby an attacker may ship you a booby-trapped Microsoft Workplace doc that linked to a URL beginning with the characters ms-msdt:.
That doc would then robotically run PowerShell code of the attacker’s selection, even when all you probably did was browse to the file in Explorer with the preview pane turned on.
Firefox has weighed in with extra mitigations of its personal by basically “disowning” Microsoft’s proprietary URL schemes beginning with ms-msdt: and different doubtlessly dangerous names, in order that they not even ask you if you wish to course of the URL:
The
ms-msdt,search, andsearch-msprotocols ship content material to Microsoft purposes, bypassing the browser, when a consumer accepts a immediate. These purposes have had identified vulnerabilities, exploited within the wild (though we all know of none exploited by way of Firefox), so on this launch Firefox has blocked these protocols from prompting the consumer to open them.
What to do?
Simply go to Assist > About Firefox to examine what model you’re on – you’re on the lookout for 102.0.
When you’re up-to-date then a popup will inform you so; if not, the popup will provide to begin the replace for you.
When you or your organization has caught to the Firefox Prolonged Assist Launch (ESR), which incorporates function updates solely each few months however delivers safety updates every time wanted, you’re on the lookout for ESR 91.11.
Do not forget that ESR 91.11 denotes Firefox 91 with 11 updates’ value of safety fixes, and since 91+11 = 102, you possibly can simply inform that you simply’re degree with the most recent mainstream model so far as safety patches are involved.
Linux and BSD customers who’ve put in Firefox by way of their distro might want to examine with their distro for the wanted replace.
