This month’s scheduled Firefox launch is out, with the brand new 102.0 model patching 19 CVE-numbered bugs.
Regardless of the big variety of CVEs, the patches don’t embrace any bugs already being exploited within the wild (identified within the jargon as zero-days), and don’t embrace any bugs labelled Important.
Maybe essentially the most important patch is the one for CVE-2022-34479, entitled: A popup window could possibly be resized in a strategy to overlay the handle bar with net content material.
This bug permits a malicious web site to create a popup window after which resize it to overwrite the browser’s personal handle bar.
Fortuitously, this handle bar spoofing bug solely applies to Firefox on Linux; on different working methods, the bug apparently can’t be triggered.
As you recognize, the browser’s personal visible elements, together with the menu bar, search bar, handle bar, safety alerts, HTTPS padlock icon and extra, are alleged to be shielded from manipulation by untrusted net pages rendered by the browser.
These sacrosanct person interface elements are identified within the jargon as chrome (from which Google’s browser will get its identify, in case you have been questioning).
Browser chrome is off-limits to net pages for apparent causes – to forestall bogus web sites from misrepresenting themselves as reliable.
Because of this although phishing websites typically reproduce the look-and-feel of a official web site with uncanny precision, they aren’t supposed to have the ability to trick your browser into presenting them as in the event that they have been downloaded from a real URL.
Picture-based RCEs
Intriguingly, this month’s fixes consists of two CVES which have the identical bug title, and that let the identical safety misbehaviour, although they’re in any other case unrelated and have been discovered by completely different bug-hunters.
CVE-2022-34482 and CVE-2022-34482 are each headlined: Drag and drop of malicious picture might have led to malicious executable and potential code execution.
Because the bug identify suggests, these flaws imply that a picture file that you simply save to your desktop by dragging-and dropping it from Firefox might find yourself saved to disk with an extension comparable to .EXE
as a substitute of with the extra harmless extension you have been anticipating, comparable to .PNG
or .JPG
.
On condition that Home windows annoyingly (and wrongly, in our opinion), doesn’t present you file extensions by default, these Firefox bugs might result in you to belief the file you simply dropped onto your desktop, and due to this fact to open it with out ever being conscious of its true filename.
(In the event you save the file by extra conventional means comparable to Proper click on > Save Picture As…, the total filename, full with extension, is revealed.)
These bugs aren’t true distant code execution (RCE) vulnerabilities, provided that an attacker wants to influence you to save lots of content material from an internet web page onto your laptop after which to open it up from there, however they do make it more likely that you’d launch a malicious file by mistake.
As an apart, we strongly suggest that you simply inform Home windows to point out all file extensions, as a substitute of secretly suppressing them, by altering the File identify extensions choice in File Explorer.
Fixes for Follina!
Final month’s Massive Dangerous Home windows Bug was Follina, correctly generally known as CVE-2022-30190.
Follina was a nasty code execution exploit whereby an attacker might ship you a booby-trapped Microsoft Workplace doc that linked to a URL beginning with the characters ms-msdt:
.
That doc would then mechanically run PowerShell code of the attacker’s alternative, even when all you probably did was browse to the file in Explorer with the preview pane turned on.
Firefox has weighed in with further mitigations of its personal by basically “disowning” Microsoft’s proprietary URL schemes beginning with ms-msdt:
and different probably dangerous names, in order that they not even ask you if you wish to course of the URL:
The
ms-msdt
,search
, andsearch-ms
protocols ship content material to Microsoft purposes, bypassing the browser, when a person accepts a immediate. These purposes have had identified vulnerabilities, exploited within the wild (though we all know of none exploited by Firefox), so on this launch Firefox has blocked these protocols from prompting the person to open them.
What to do?
Simply go to Assist > About Firefox to test what model you’re on – you’re in search of 102.0.
In the event you’re up-to-date then a popup will let you know so; if not, the popup will supply to begin the replace for you.
In the event you or your organization has caught to the Firefox Prolonged Help Launch (ESR), which incorporates characteristic updates solely each few months however delivers safety updates each time wanted, you’re in search of ESR 91.11.
Keep in mind that ESR 91.11 denotes Firefox 91 with 11 updates’ price of safety fixes, and since 91+11 = 102, you possibly can simply inform that you simply’re stage with the newest mainstream model so far as safety patches are involved.
Linux and BSD customers who’ve put in Firefox through their distro might want to test with their distro for the wanted replace.