Firefox has adopted Chromium to the century mark, reaching a rating of 100* with its newest scheduled almost-monthly launch.
For readers with out the sporting success of dwelling in a cricket-playing nation, a person rating of 100 in a single innings, often known as a century or a ton, is taken into account a noteworthy achivement.
Including an asterisk after the rating means “not out”, in different phrases that the batter remains to be going sturdy (or accomplished their innings with out getting out in any respect), making the feat much more noteworthy.
We all know you’re questioning, and if you happen to aren’t you ought to be, so we’ll point out that from 1959 to 1994, the best ever rating worldwide in first-class cricket was 499, with no asterisk, by the late, nice Pakistani batter Hanif Mohammed. Determined to achieve 500 earlier than he ran out of batting time, he took a weary threat for that magical five hundredth run however fell one quick. That complete wasn’t eclipsed till 1994, when West Indian batter Brian Lara received to 501*, a file that has stood ever since. Certainly, the one first-class rating of 400 or extra since Lara’s 501* was Lara’s personal 400* in 2004, enjoying in a global match in opposition to England in Antigua. At its present launch charge of as soon as each 4 weeks, Firefox has simply over 23 years to go to equal Lara’s quadruple century, and nearly 30 years to achieve 502*.
No bother on the model quantity mill
Earlier this yr, we wrote concerning the potential confusion that Chrome (now at 101) and Firefox (100 at this time) may trigger for some customers…
…not by way of any fault on the a part of Google or Mozilla, the respective curators of the Chromium and Firefox codebases, however as a result of not less than a couple of internet servers appeared unable to recognise three-digit model numbers appropriately.
At present’s ever-funkier and ever-keener-to-track-you web sites love to take a look at your HTTP headers to attempt to determine which browser you’re utilizing, and what model you’re on, for instance by dissecting the Consumer-Agent header to determine what kind of content material to ship again.
After updating, our Firefox Consumer-Agent string now seems like this:
GET / HTTP/1.1 Host: testsite.instance Consumer-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Settle for-Encoding: gzip, deflate, br Connection: keep-alive Improve-Insecure-Requests: 1 [. . . .]
Again in February 2022, a couple of mainstream websites didn’t appear to grasp that 100 was better than 99, presumably as a result of they have been hard-coded to make use of solely the primary (or final) two characters of the model quantity, millennium bug model, thus turning the textual content 100 both into the quantity 10, or into the quantity zero.
Fortuitously, now we have’t had any seen bother with Edge, which is predicated on Chromium and flipped over from 99 to 100 firstly of April (protecting simply forward of Firefox with 101 out firstly of Might), and within the few hours that we’ve been on Firefox 100.0, we’ve had no issues both.
We’re assuming both that the previous couple of poorly-coded web sites mounted their server-side code within the interim, or that the “particular case” lists of drawback websites created in latest months by Google and Firefox have suppressed any issues, for instance by permitting each browsers to faux as wanted nonetheless to be model 99.
Bugs fixes on this replace
The excellent news is that not one of the safety bugs patched in Firefox 100 (or its equal long-term model 91.9 ESR, which has the function set of Firefox 91 plus an extra 9 variations value of vulnerability updates to carry it onto a cybersecurity par with 100) is taken into account “Essential”, and there aren’t any zero-day holes on the checklist.
However, the patches take care of an intriguing vary of safety points, reminding us all simply how a lot we depend on our browsers to do the proper factor on the subject of cybersecurity.
CVE-numbered vulnerabilities handled on this replace embrace:
- CVE-2022-29914. Fullscreen notification bypass utilizing popups. An attacker who knew the proper trick might have popped up deceptive or fraudulent content material that regarded like an official notification offered by Firefox itself. Popups and web page content material are purported to be straightforward to inform aside from data coming from the browser, which is why an internet web page isn’t allowed to put a deceptive picture excessive of the tackle bar that tells you what web site you’re on, or to current a dialog that appears like an official browser safety warning however tells a dishonest story.
- CVE-2022-29916. Leaking browser historical past with CSS variables. Web sites aren’t supposed to have the ability to retrieve a listing of different websites you’ve visited with out your permission. This not solely violates your privateness but additionally supplies cybercriminals with helpful data which may assist them when attacking you or your organization in future.
- CVE-2022-29910. Firefox for Android forgot HTTP Strict Transport Safety (HSTS) settings. HSTS is a neighborhood database maintained by your browser that tells it which web sites to go to utilizing HTTPS, even if you happen to click on a hyperlink or kind in a URL that begins with plain outdated
http://. Though most web sites instantly redirect HTTP connections to the corresponding HTTPS web page anyway, that preliminary HTTP connection is open to hijack as a result of there’s no encryption or integrity checking of the redirect knowledge that’s despatched again. HSTS subsequently limits your publicity to your very first go to to a website, when the HSTS setting will probably be activated, which is lots safer than needing to threat the insecure redirect each time you go to. - CVE-2022-29917 and -29918. Reminiscence security bugs mounted in Firefox 100 and 91.9 ESR. As standard, the Mozilla coders overtly admit that “we presume that with sufficient effort a few of these [bugs] might have been exploited to run arbitrary code.” In different phrases, this replace is value getting for that reason alone, provided that exploits are a lot simpler for attackers to determine after they’ve been patched, as a result of the modifications within the code primarily act as hints about the place to look, and what to search for.
What to do?
Use Assist > About Firefox to drive a guide verify for updates.
Do not forget that even if in case you have automated updates turned on, it’s value checking that you just’ve appropriately obtained the replace, as a substitute of merely assuming it labored.
