The once-every-four-weeks security update to Mozilla’s Firefox browser officially arrived today.
The regular version of Firefox is now 99.0, while the Extended Support Release, which gets security fixes without any feature updates, is now 91.8.0 ESR.
Add together the first two numbers in the ESR release triplet and you should get the same value as the first number in the regular release.
(Thus, 91.8 ESR has the feature set of Firefox 91.0, plus the same 8 sets of four-weekly security patches that came out in the intervening full releases, thus aligning it security-wise with version (91+8).0, i.e. 99.0.)
Fortunately, as in the April 2022 Google Android update we just wrote about that happened to arrive on the same day, there were no critical security fixes and no zero-day holes patched.
In particular, although Mozilla admits that some of the memory management bugs that were fixed in Firefox 99.0 might be exploitable “with enough effort”, no working exploits are yet known.
And with no known exploits at all, clearly there are no known exploits that were already being used the Bad Guys, or zero-days as they’re called in the jargon.
What to do?
Despite the apparently low risk this month, all security holes bring with them some danger, or they wouldn’t be given CVE bug numbers and listed in security advisories, so we recommend updating as soon as you can.
Click the Menu button (three lines) at the top right of your Firefox window, then click Help, and select About Firefox.
If you’re already up-to-date then the dialog will tell you, otherwise it will fetch the latest version.
If an update is needed, don’t forget to click [Restart to update Firefox]
to activate the new version. (Alternatively, simply quit Firefox and launch the app again.)
The full list of fixes for this release can be found in Mozilla’s Security Advisory 2022-13.
Two of the bugs that we found interesting are:
- CVE-2022-28283: Missing security checks for fetching sourceMapURL. The SourceMap tool in Firefox isn’t intended for everyday use – it’s a feature that’s useful for developers wanting to dig into the JavaScript source code of a web page to see why it’s misbehaving. Many JavaScript programs sent over the internet are deliberately sent in non-human-readable form, sometimes as a way of making them harder to figure out, but often simply as a way of squashing them up to save download space and time. SourceMap tries to reverse this obfuscation in order to make bugs and rendering problems easier to spot. In this case, obfuscated JavaScript in a web page could have been booby-trapped so that a developer trying to debug it might inadvertently load privileged content such as the contents of local files. Ironically, this might mean that someone helping out by investigating an innocent-looking problem triggered by someone else’s website (or injected ad page) could end up allowing scripts from that “broken” website to take a peek at local, private data.
- CVE-2022-28286: IFRAME contents could be rendered outside the border. This one was rated “low”, so we assume it’s unlikely to cause much harm even if someone figures out how to exploit it on unpatched computers. Nevertheless, it’s an important reminder that context is important. IFRAMEs, as the name suggests, are inline frames that create what is essentially a page-within-a-page. Obviously, the content of the inner page mustn’t be allowed to appear outside the IFRAME’s own window, or it might obscure important information in the enclosing page, such as a bold warning that THE FINANCIAL DATA BELOW IS UNAUDITED AND SHOULD NOT BE RELIED UPON, or a statutory notification that THE WINDOW BELOW IS A PAID AD. So-called “spoofing attacks” can be surprisingly useful to cybercrooks, as it makes it easier for them to pass off fake content as the real thing, or to hide warnings that would otherwise tip you off that you were about to get scammed.
Note. If you’re running a version of Firefox that is managed and updated as part of your Unix or Linux operating system distro, don’t forget to check with your distro for the latest version, not with Mozilla’s own servers.