The newest scheduled Firefox replace is out, bringing the favored various browser to model 101.0.
This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so earlier than it, with none hassle brought on by the shift from a two-digit to a three-digit model quantity.
Early in 2022, as each Chromium and Firefox co-incidentally approached their centuries at about the identical time, it seemed as if not less than a number of mainstream web sites had been extracting model numbers for each merchandise incorrectly.
Some websites, it appeared, had been looking the browsers’ Person-Agent textual content strings for patterns that had been hard-wired to extract simply two digits’ price of model info.
As you may think about, folding three digits into two provides you an error a bit just like the millennium bug, with 100 turning both into 10 or into 00, relying on which finish you prune.
Each 0 and 10 characterize model numbers from a time gone, thus incorrectly flagging a brand-new browser as a recklessly outdated one, which some websites refused to simply accept.
Daimler’s web site once we visited with a pre-release of Edge 100 (Chromium-based) again in February 2022.Satirically, in fact, our browser was forward of the curve, not method behind it.
Little question partially because of the efforts of each Google’s Chromium and Mozilla’s Firefox coders (who mixed to establish ill-behaved web sites, and even ready emergency “escape mechanisms” whereby their respesective browsers would proceed calling themselves 99.one thing when visiting ill-programmed internet servers), the 100.0 launch of each browsers was finally uneventful…
…however Firefox adopted its common 100.0 launch with an emergency 100.0.1 launch, which turned on a model new Home windows safety characteristic that hadn’t fairly made the reduce in 100.0.
We puzzled why this new characteristic, which had been a very long time within the brewing and wasn’t designed to repair a selected, known-to-be-exploitable safety vulnerability, hadn’t merely been saved up and launch as a brand new characteristic within the scheduled 101.0 model.
However the truth that it was simply a few days earlier than the infamous Pwn2Own hacking competitors, the place contestants are introduced with bang-up-to-date computer systems on which to strive their assaults, led us to imagine (or not less than to guess) that Mozilla figured that it was price getting out an official launch with extra anti-hacking safety, simply in case.
Finally, nonetheless, Firefox was hacked, in a gloriously well-prepared double-exploit assault that took simply seven seconds to interrupt into the browser after which break again out of its protecting shell for a full sandbox escape.
To its credit score, Mozilla then launched 100.0.2 inside 48 hours, with fixes for each of those newly-disclosed bugs.
Much less drama this time
We don’t doubt, due to this fact, that the considerably much less dramatic launch of 101.0, with no zero-day safety holes mounted, and no patches deemed Vital, can have been one thing of a reduction to the Mozilla workforce.
In case you’re questioning, this was certainly the second full launch of Firefox within the month of Might 2022, which is Mozilla’s equal of a blue moon. (The moon doesn’t really flip blue – that’s simply the nickname used when there’s a second full moon squeezed into one calendar month).
That is brought on by the truth that Firefox updates are scheduled for each fourth Tuesday, which is as soon as each 28 days, relatively than for a selected Tuesday in every month, which is as soon as in about each 30.5 days.
Though not one of the bugs mounted on this launch are Vital, there are quite a few Excessive-category fixes, plus a handful of Average ones, together with
CVE-2022-31737: Heap buffer overflow in WebGL. A malicious webpage with booby-trapped graphics might induced a reminiscence buffer overflow, usually resulting in a crash, or maybe even to distant code execution.
CVE-2022-31738: Browser window spoof utilizing fullscreen mode. Net pages aren’t supposed to have the ability to show content material exterior the confines of their very own show space, thus leaving the browser itself with full management of necessary consumer interface parts such because the tackle bar and navigation buttons. An online web page that might trick the browser into writing to the incorrect a part of the display might bypass this “sanctity of show” safety.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded information. While you specify a filename on Home windows, some characters aren’t at all times handled actually. For instance, a filename of %HOMEPATH% doesn’t essentially get saved beneath that letter-for-letter filename. Except you “escape” these p.c indicators to point out they’re meant actually, the particular marker %HOMEPATH% is rewritten and changed with the precise title of your own home listing. Likewise, %WINDIR% denotes the place Home windows is put in, no matter what listing was chosen at setup time. Packages that settle for filenames from untrusted sources due to this fact have to take care to “escape” p.c indicators in order that they imply precisely what they are saying (a % character), as an alternative of sneakily triggering an rewrite that might misdirect a file from one listing into one other.
CVE-2022-31743: HTML Parsing incorrectly ended HTML feedback prematurely. Something between a gap textual content string of <!– and a closing –> is handled as an HTML remark, and is skipped when the file is definitely used. Misrecognising the top of a remark might result in an in any other case innocent-looking web page together with content material that wasn’t supposed to look, or to a script aspect executing despite the fact that it was speculated to be ignored.
CVE-2022-1919: Reminiscence Corruption when manipulating webp pictures. This bug was primarily the alternative of a use-after-free, which is the place a program palms again a block of reminiscence so it may be used elsewhere in this system, however carries on writing to it anyway. This bug was what you may name a free-without-use, the place Firefox tried to “return” reminiscence it hadn’t been given within the first place. This might result in a crash, or maybe even to distant code execution.
In addition to these particular bugs, Mozilla additionally introduced CVE-2022-31747 and CVE-2022-31748, vulnerability numbers designating a spread of basic reminiscence mismanagement bugs discovered by the Firefox workforce and its automated bug-hunting instruments.
These bugs weren’t examined intimately to see which of them might really be exploited, however had been assumed to be probably exploitable and glued anyway.
The primary of those, CVE-2022-31747, denotes bugs mounted in each the 101.0 launch and the Prolonged Help Launch 91.10 (observe that 91+10 = 101).
This means that these bugs have been in Firefox’s codebase for the reason that 91 launch and even earlier, on condition that ESR 91.10 consists of the Firefox 91.0 code with all interim safety fixes utilized, however no new options added.
The latter designator, CVE-2022-31748, denotes bugs mounted in 101.0 solely, and is an efficient reminder that new options do are inclined to convey new bugs, and helps clarify why Mozilla maintains its ESR product department.
The ESR flavour of Firefox is common with community sysadmins who’re prepared to attend for brand spanking new options, however not on the expense of operating software program that’s outdated from a safety standpoint.
What to do?
As standard, go to Assist > About Firefox to test when you’re updated, and to drive an replace if it seems you aren’t.
(Linux/Unix customers might have to confer with their distro for updates in the event that they initially put in Firefox through a distro-managed package deal relatively than by downloading Mozilla’s personal installer.)