It’s time for this month’s scheduled Firefox replace (technically, with 28 days between updates, you generally get two updates in a single calendar month, however July 2022 isn’t a type of months)…
…and the excellent news is that the worst bugs listed, which get a danger class of Excessive, are these discovered by Mozilla itself utilizing automated bug-hunting instruments, and lumped togther underneath two catchall CVE numbers:
- CVE-2022-36320: Reminiscence security bugs mounted in Firefox 103.
- CVE-2022-2505: Reminiscence security bugs mounted in Firefox 103 and 102.1.
The rationale that these bugs are cut up into two teams is that Mozilla formally helps two flavours of its browser.
There’s the latest-and-greatest model, presently 103, which has all the newest options and related safety fixes.
And there’s the Prolonged Assist Launch (ESR) flavour, which synchs up with the options within the newest model each few months, however in between will get safety updates solely, thus bringing in new options solely after they’ve been accessible to check out within the mainstream model for a while.
As you’ll be able to think about, sysadmins and IT groups who help Firefox at work usually like ESRs as a result of it means they don’t must foist new options on their very own customers (or take the inevitable help calls about new menu choices, totally different icons and modified behaviour) with out good warning.
There are virtually at all times no less than a number of bugs mounted within the mainstream Firefox model that don’t seem within the ESR, and thus can’t be mounted there, as a result of the bugs are new, launched within the new code added to help the brand new options.
That is another excuse that some sysadmins like ESR-style software program, on condition that the code in these variations has been geneally uncovered to real-life scrutiny for longer, with out lagging behind on safety patches.
Actually, Mozilla retains two ESR variations, in an effort to attempt the earlier and the present ESR variations on the identical time earlier than making the swap, thus by no means needing to make use of the cutting-edge model our your manufacturing community in any respect. (See beneath for the newest model numbers of all currently-supported variations.)
Deceptive your clicks
Of the opposite six bugs on the patch checklist, we expect two are intriguing and essential, as a result of each of them give attackers an opportunity to trick you into clicking one thing that isn’t what it appears:
- CVE-2022-36319: Mouse Place spoofing with CSS transforms. Merely put, this bug implies that a booby-trapped web site may go away your mouse pointer positioned on the improper spot within the browser window, in order that clicking your mouse received’t register the place you anticipate. This trick is commonly known as clickjacking, the place a scammer makes you assume you’re clicking someplace protected, when in actual fact you’re clicking on a hyperlink or button you’d intentionally have prevented if solely you knew. In its easiest kind, clickjacking can engineer faux social media likes or undesirable ad impressions. At worst, it will possibly lead you immediately into hurt from phishing assaults or faux downloads that aren’t apparent, even in case you’re searching for them.
- CVE-2022-36314: Opening native
.lnk
recordsdata may trigger sudden community masses.LNK
recordsdata are Home windows shortcuts, that are an entire can of safety worms in their very own proper. (A.LNK
file can sneakily redirect you to a file of kind X, resembling.EXE
, whereas presenting itself with an icon of kind Y, resembling.PDF
.) On this case, an online hyperlink that specified a neighborhood .LNK
file, may, if clicked, redirect you to a file saved someplace on the community as a substitute. Though there’s no suggestion that the information fetched this manner might be used for distant code execution (in different phrases, to make unauthorised adjustments, together with implanting malware), you might simply be tricked into trusting distant content material underneath the mistaken impression that it was native knowledge. Any community request leaks some data to the particular person operating the server on the different finish, so it’s essential in your browser to offer you an correct concept of the place every hyperlink you click on will take you.
LEARN MORE ABOUT SHORTCUTS AND MALWARE
What to do?
As common, go to Assist > About Firefox and see whether or not the popup field tells you Firefox is updated
or gives you a clickable button labelled [Update to X]
.
This time, the model you’re after is 103.0 (in case you’re utilizing the mainstream model), ESR 102.1 (in case you’re on the most up-to-date ESR model), or ESR 91.12 (in case you’re on the oldest ESR flavour).
As we’ve defined earlier than, however assume it’s price mentioning once more, the 2 numbers within the ESR launch identifiers add collectively to indicate the mainstream launch that they match up with by way of safety updates.
So, on condition that the present mainstream model is 103, you’ll be able to rapidly inform than 102.1 ESR (102+1 = 103) and 91.12 ESR (91+12 = 103) are the latest releases of their respective lineages.