It’s time for this month’s scheduled Firefox replace (technically, with 28 days between updates, you generally get two updates in a single calendar month, however July 2022 isn’t a kind of months)…
…and the excellent news is that the worst bugs listed, which get a danger class of Excessive, are these discovered by Mozilla itself utilizing automated bug-hunting instruments, and lumped togther below two catchall CVE numbers:
- CVE-2022-36320: Reminiscence security bugs mounted in Firefox 103.
- CVE-2022-2505: Reminiscence security bugs mounted in Firefox 103 and 102.1.
The explanation that these bugs are break up into two teams is that Mozilla formally helps two flavours of its browser.
There’s the latest-and-greatest model, at the moment 103, which has all the newest options and related safety fixes.
And there’s the Prolonged Help Launch (ESR) flavour, which synchs up with the options within the newest model each few months, however in between will get safety updates solely, thus bringing in new options solely after they’ve been accessible to check out within the mainstream model for a while.
As you possibly can think about, sysadmins and IT groups who assist Firefox at work usually like ESRs as a result of it means they don’t should foist new options on their very own customers (or take the inevitable assist calls about new menu choices, completely different icons and modified behaviour) with out good warning.
There are virtually all the time not less than a number of bugs mounted within the mainstream Firefox model that don’t seem within the ESR, and thus can’t be mounted there, as a result of the bugs are new, launched within the new code added to assist the brand new options.
That is one more reason that some sysadmins like ESR-style software program, provided that the code in these variations has been geneally uncovered to real-life scrutiny for longer, with out lagging behind on safety patches.
In reality, Mozilla retains two ESR variations, to be able to attempt the earlier and the present ESR variations on the similar time earlier than making the change, thus by no means needing to make use of the cutting-edge model our your manufacturing community in any respect. (See beneath for the newest model numbers of all currently-supported variations.)
Deceptive your clicks
Of the opposite six bugs on the patch checklist, we expect two are intriguing and necessary, as a result of each of them give attackers an opportunity to trick you into clicking one thing that isn’t what it appears:
- CVE-2022-36319: Mouse Place spoofing with CSS transforms. Merely put, this bug implies that a booby-trapped web site may depart your mouse pointer positioned on the fallacious spot within the browser window, in order that clicking your mouse gained’t register the place you anticipate. This trick is commonly known as clickjacking, the place a scammer makes you assume you’re clicking someplace secure, when actually you’re clicking on a hyperlink or button you’d intentionally have prevented if solely you knew. In its easiest type, clickjacking can engineer pretend social media likes or undesirable ad impressions. At worst, it will possibly lead you straight into hurt from phishing assaults or pretend downloads that aren’t apparent, even in the event you’re searching for them.
- CVE-2022-36314: Opening native
.lnkinformation may trigger surprising community masses.LNKinformation are Home windows shortcuts, that are a complete can of safety worms in their very own proper. (A.LNKfile can sneakily redirect you to a file of kind X, resembling.EXE, whereas presenting itself with an icon of kind Y, resembling.PDF.) On this case, an online hyperlink that specified an area .LNKfile, may, if clicked, redirect you to a file saved someplace on the community as a substitute. Though there’s no suggestion that the information fetched this fashion could possibly be used for distant code execution (in different phrases, to make unauthorised adjustments, together with implanting malware), you might simply be tricked into trusting distant content material below the mistaken impression that it was native knowledge. Any community request leaks some info to the particular person working the server on the different finish, so it’s necessary in your browser to present you an correct concept of the place every hyperlink you click on will take you.
LEARN MORE ABOUT SHORTCUTS AND MALWARE
What to do?
As standard, go to Assist > About Firefox and see whether or not the popup field tells you Firefox is updated or affords you a clickable button labelled [Update to X].
This time, the model you’re after is 103.0 (in the event you’re utilizing the mainstream model), ESR 102.1 (in the event you’re on the latest ESR model), or ESR 91.12 (in the event you’re on the oldest ESR flavour).
As we’ve defined earlier than, however assume it’s value mentioning once more, the 2 numbers within the ESR launch identifiers add collectively to indicate the mainstream launch that they match up with when it comes to safety updates.
So, provided that the present mainstream model is 103, you possibly can shortly inform than 102.1 ESR (102+1 = 103) and 91.12 ESR (91+12 = 103) are the latest releases of their respective lineages.
