The newest scheduled Firefox replace is out, bringing the favored different browser to model 101.0.
This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so earlier than it, with none bother brought on by the shift from a two-digit to a three-digit model quantity.
Early in 2022, as each Chromium and Firefox co-incidentally approached their centuries at about the identical time, it appeared as if not less than just a few mainstream web sites have been extracting model numbers for each merchandise incorrectly.
Some websites, it appeared, have been looking out the browsers’ Consumer-Agent textual content strings for patterns that have been hard-wired to extract simply two digits’ price of model info.
As you possibly can think about, folding three digits into two offers you an error a bit just like the millennium bug, with 100 turning both into 10 or into 00, relying on which finish you prune.
Each 0 and 10 symbolize model numbers from a time gone, thus incorrectly flagging a brand-new browser as a recklessly outdated one, which some websites refused to simply accept.
Satirically, after all, our browser was forward of the curve, not manner behind it.
Little doubt partly because of the efforts of each Google’s Chromium and Mozilla’s Firefox coders (who mixed to establish ill-behaved web sites, and even ready emergency “escape mechanisms” whereby their respesective browsers would proceed calling themselves 99.one thing when visiting ill-programmed net servers), the 100.0 launch of each browsers was finally uneventful…
…however Firefox adopted its common 100.0 launch with an emergency 100.0.1 launch, which turned on a model new Home windows safety characteristic that hadn’t fairly made the minimize in 100.0.
We puzzled why this new characteristic, which had been a very long time within the brewing and wasn’t designed to repair a selected, known-to-be-exploitable safety vulnerability, hadn’t merely been saved up and launch as a brand new characteristic within the scheduled 101.0 model.
However the truth that it was simply a few days earlier than the infamous Pwn2Own hacking competitors, the place contestants are introduced with bang-up-to-date computer systems on which to attempt their assaults, led us to imagine (or not less than to guess) that Mozilla figured that it was price getting out an official launch with further anti-hacking safety, simply in case.
Finally, nevertheless, Firefox was hacked, in a gloriously well-prepared double-exploit assault that took simply seven seconds to interrupt into the browser after which break again out of its protecting shell for a full sandbox escape.
To its credit score, Mozilla then launched 100.0.2 inside 48 hours, with fixes for each of those newly-disclosed bugs.
Much less drama this time
We don’t doubt, due to this fact, that the considerably much less dramatic launch of 101.0, with no zero-day safety holes fastened, and no patches deemed Important, may have been one thing of a reduction to the Mozilla group.
In case you’re questioning, this was certainly the second full launch of Firefox within the month of Could 2022, which is Mozilla’s equal of a blue moon. (The moon doesn’t truly flip blue – that’s simply the nickname used when there’s a second full moon squeezed into one calendar month).
That is brought on by the truth that Firefox updates are scheduled for each fourth Tuesday, which is as soon as each 28 days, somewhat than for a selected Tuesday in every month, which is as soon as in about each 30.5 days.
Though not one of the bugs fastened on this launch are Important, there are quite a few Excessive-category fixes, plus a handful of Average ones, together with
- CVE-2022-31737: Heap buffer overflow in WebGL. A malicious webpage with booby-trapped graphics may induced a reminiscence buffer overflow, sometimes resulting in a crash, or even perhaps to distant code execution.
- CVE-2022-31738: Browser window spoof utilizing fullscreen mode. Internet pages aren’t supposed to have the ability to show content material outdoors the confines of their very own show space, thus leaving the browser itself with full management of necessary consumer interface parts such because the handle bar and navigation buttons. An online web page that might trick the browser into writing to the mistaken a part of the display may bypass this “sanctity of show” safety.
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded information. Once you specify a filename on Home windows, some characters aren’t all the time handled actually. For instance, a filename of
%HOMEPATH%doesn’t essentially get saved beneath that letter-for-letter filename. Until you “escape” these % indicators to indicate they’re meant actually, the particular marker%HOMEPATH%is rewritten and changed with the precise title of your house listing. Likewise,%WINDIR%denotes the place Home windows is put in, no matter what listing was chosen at setup time. Applications that settle for filenames from untrusted sources due to this fact must take care to “escape” % indicators in order that they imply precisely what they are saying (a%character), as a substitute of sneakily triggering an rewrite that might misdirect a file from one listing into one other. - CVE-2022-31743: HTML Parsing incorrectly ended HTML feedback prematurely. Something between a gap textual content string of
<!--and a closing-->is handled as an HTML remark, and is skipped when the file is definitely used. Misrecognising the tip of a remark may result in an in any other case innocent-looking web page together with content material that wasn’t supposed to seem, or to a script aspect executing despite the fact that it was presupposed to be ignored. - CVE-2022-1919: Reminiscence Corruption when manipulating webp photographs. This bug was basically the alternative of a use-after-free, which is the place a program palms again a block of reminiscence so it may be used elsewhere in this system, however carries on writing to it anyway. This bug was what you would possibly name a free-without-use, the place Firefox tried to “return” reminiscence it hadn’t been given within the first place. This might result in a crash, or even perhaps to distant code execution.
In addition to these particular bugs, Mozilla additionally introduced CVE-2022-31747 and CVE-2022-31748, vulnerability numbers designating a variety of normal reminiscence mismanagement bugs discovered by the Firefox group and its automated bug-hunting instruments.
These bugs weren’t examined intimately to see which of them may truly be exploited, however have been assumed to be probably exploitable and stuck anyway.
The primary of those, CVE-2022-31747, denotes bugs fastened in each the 101.0 launch and the Prolonged Help Launch 91.10 (notice that 91+10 = 101).
This suggests that these bugs have been in Firefox’s codebase because the 91 launch and even earlier, on condition that ESR 91.10 consists of the Firefox 91.0 code with all interim safety fixes utilized, however no new options added.
The latter designator, CVE-2022-31748, denotes bugs fastened in 101.0 solely, and is an efficient reminder that new options do are inclined to carry new bugs, and helps clarify why Mozilla maintains its ESR product department.
The ESR flavour of Firefox is well-liked with community sysadmins who’re prepared to attend for brand spanking new options, however not on the expense of operating software program that’s outdated from a safety perspective.
What to do?
As typical, go to Assist > About Firefox to verify should you’re updated, and to drive an replace if it seems you aren’t.
(Linux/Unix customers might must consult with their distro for updates in the event that they initially put in Firefox by way of a distro-managed bundle somewhat than by downloading Mozilla’s personal installer.)
