Heard of cricket (the game, not the insect)?
It’s very like baseball, besides that batters can hit the ball wherever they like, together with backwards or sideways; bowlers can hit the batter with the ball on objective (inside sure security limits, after all – it simply wouldn’t be cricket in any other case) with out kicking off a 20-minute all-in brawl; there’s virtually at all times a break in the course of the afternoon for tea and cake; and you may rating six runs at a time so long as you hit the ball excessive and much sufficient (seven if the bowler makes a mistake as nicely).
Nicely, as cricket fanatics know, 111 runs is a superstitious rating, thought of unauspicious by many – the cricketer’s equal of Macbeth to an actor.
It’s often called a Nelson, although no person really appears to know why.
In the present day subsequently sees Firefox’s Nelson launch, with model 111.0 popping out, however there doesn’t appear to be something unauspicious about this one.
Eleven particular person patches, and two batches-of-patches
As standard, there are quite a few safety patches within the replace, together with Mozilla’s standard combo-CVE vulnerability numbers for probably exploitable bugs that have been discovered robotically and patched with out ready to see if a proof-of-concept (PoC) exploit was attainable:
- CVE-2023-28176: Reminiscence security bugs fastened in Firefox 111 and Firefox ESR 102.9. These bugs have been shared between the present model (which incorporates new options) and the ESR model, brief for prolonged assist launch (safety fixes utilized, however with new options frozen since model 102, 9 releases in the past).
- CVE-2023-28177: Reminiscence security bugs fastened in Firefox 111 solely. These bugs virtually actually solely exist in new code that introduced in new options, provided that they didn’t present up within the older ESR codebase.
These bags-of-bugs have been rated Excessive moderately than Crucial.
Mozilla admits that “we presume that with sufficient effort a few of these may have been exploited to run arbitrary code”, however nobody has but found out how to take action, or even when such exploits are possible.
Not one of the different eleven CVE-numbered bugs this month have been worse thah Excessive; three of them apply to Firefox for Android solely; and nobody has but (as far as we but know) provide you with a PoC exploit that reveals how you can abuse them in actual life.
Two notably attention-grabbing vulnerabilities seem amongst the 11, specifically:
- CVE-2023-28161: One-time permissions granted to a neighborhood file have been prolonged to different native information loaded in the identical tab. With this bug, should you opened a neighborhood file (equivalent to downloaded HTML content material) that needed entry, say, to your webcam, then another native file you opened afterwards would magically inherit that entry permission with out asking you. As Mozilla famous, this might result in hassle should you have been wanting by way of a set of things in your obtain listing – the entry permission warnings you’d see would depend upon the order through which you opened the information.
- CVE-2023-28163: Home windows Save As dialog resolved atmosphere variables. That is one other eager reminder to sanitise thine inputs, as we wish to say. In Home windows instructions, some character sequences are handled specifically, equivalent to
%USERNAME%, which will get transformed to the title of the at present logged-on consumer, or%PUBLIC%, which denotes a shared listing, often inC:Customers. A sneaky web site may use this as a technique to trick you into seeing and approving the obtain of a filename that appears innocent however lands in a listing you wouldn’t anticipate (and the place you won’t later realise it had ended up).
What to do?
Most Firefox customers will get the replace robotically, sometimes after a random delay to cease everybody’s pc downloading on the similar second…
…however you’ll be able to keep away from the wait by manually utilizing Assist > About (or Firefox > About Firefox on a Mac) on a laptop computer, or by forcing an App Retailer or Google Play replace on a cellular system.
(Should you’re a Linux consumer and Firefox is equipped by the maker of your distro, do a system replace to examine for the provision of the brand new model.)
