The newest full new model of Firefox is out, marking the primary of two “month-to-month” upgrades you’ll see this month.
Simply as there shall be a blue moon in August 2023 (that’s the identify utilized to a second full moon in the identical calendar month, moderately than reference to an atmospheric phenomenon that makes the moon appear blue, in case you ever puzzled), there shall be a blue Firefox too.
Firefox model upgrades occur each 28 days, moderately than as soon as a month, so at any time when a launch comes out early sufficient within the month, there shall be a second improve squeezed in on the finish.
Teachable moments
Thankfully there aren’t any zero-day vulnerabilities this time, however the next bug experiences caught our eye:
- CVE-2023-4045: Offscreen Canvas may have bypassed cross-origin restrictions. One webpage may peek at pictures displayed in one other web page from a special web site. The identical-origin coverage in browsers is meant to limit the attain of HTML and JavaScript content material from web site X so it may well entry kinds, knowledge, pictures, cookies and the like provided that they too initially got here from web site X. Any tips that may bypass this same-origin safety can theoretically be used to slurp up so-called cross-origin knowledge that shouldn’t be accessible in any respect.
- CVE-2023-4047: Potential permissions request bypass by way of clickjacking. A rogue web page may tempt you to click on on a carefully-placed merchandise, resembling a wholly innocent-looking button, just for the enter to register as a click on in a safety dialog that didn’t pop up in time so that you can see. Probably dangerous permissions, resembling accessing your location, sending notifications, activating the microphone and so forth, are usually not alleged to be granted till you’ve seen and acted on a transparent warning from the browser itself.
- CVE-2023-4048: Crash in DOMParser as a result of out-of-memory situations. DOM is brief for doc object mannequin, and the DOMParser is the code that deconstructs the HTML in an internet web page that the browser is rendering for show, turning it into a giant JavaScript knowledge object during which all the person parts resembling paragraphs, headings, pictures, desk gadgets and so forth might be accessed and modified programmatically. Complicated pages sometimes flip into massive JavaScript constructions that may take loads of reminiscence to determine after which to retailer. Assume {that a} decided attacker may intentionally eat up reminiscence by loading quite a lot of massive however harmless pages, after which predictably set off a crash utilizing a crafted HTML file that will get fetched at simply the unsuitable time.
- CVE-2023-4050: Stack buffer overflow in StorageManager. That is an old-school stack overflow that doesn’t get detected in time by Firefox itself, and will due to this fact result in a crash as a substitute of a managed shutdown. All crashes attributable to the inaccurate move of execution in a program (resembling leaping to any invalid reminiscence handle X) must be thought of doubtlessly exploitable. Assume {that a} decided attacker may determine methods to affect the worth of X, and thereby achieve not less than some measure of malevolent management over the crash.
- CVE-2023-4051: Full display notification obscured by file open dialog. Fullscreen mode is all the time a bit dangerous, as a result of it provides the online web page you’re viewing exact management over each pixel on the display. Which means there aren’t any elements of the show that may be modified solely by the browser itself or solely by the working system. That’s why browsers intention to warn you earlier than giving over the entire show to an internet web page, so you realize that popups that appear to be official browser or working system dialogs is likely to be no such factor.
- CVE-2023-4057 and CVE-2023-4058: Reminiscence security bugs fastened in numerous Firefox variations. As traditional, although none of those bugs was clearly exploitable, and so they have been fastened proactively anyway, Mozilla has rated them “Excessive” and given its ever-frank evaluation that “we presume that with sufficient effort a few of these may have been exploited to run arbitrary code.”
What to do?
The brand new variations you might be on the lookout for after updating are:
- Firefox 116 if you happen to’re on the most recent model.
- Firefox ESR 115.1 in case you are a person of the Prolonged Help Launch, which incorporates safety patches however doesn’t add new options. (Including 115+1 from the ESR model quantity tells you that this launch aligns with Firefox 116 for safety fixes, although its function set aligns with Firefox 115.)
- Thunderbird 115.1 if you happen to use Mozilla’s electronic mail software program, which incorporates the Firefox net searching code for rendering HTML emails and viewing emailed net hyperlinks.
Head to Firefox -> About Firefox when you have a Mac, or Assist -> About Firefox on different platforms.
Dont neglect, if you happen to use one of many BSDs or a Linux distro, that your Firefox launch is likely to be managed by the distro itself, so verify along with your supplier for updates.
