The latest full new version of Firefox is out, marking the first of two “monthly” upgrades you’ll see this month.
Just as there will be a blue moon in August 2023 (that’s the name applied to a second full moon in the same calendar month, rather than reference to an atmospheric phenomenon that makes the moon seem blue, in case you ever wondered), there will be a blue Firefox too.
Firefox version upgrades happen every 28 days, rather than once a month, so whenever a release comes out early enough in the month, there will be a second upgrade squeezed in at the end.
Teachable moments
Fortunately there are no zero-day vulnerabilities this time, but the following bug reports caught our eye:
- CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions. One webpage could peek at images displayed in another page from a different site. The same-origin policy in browsers is supposed to restrict the reach of HTML and JavaScript content from site X so it can access forms, data, images, cookies and the like only if they too originally came from site X. Any tricks that can bypass this same-origin protection can theoretically be used to slurp up so-called cross-origin data that shouldn’t be accessible at all.
- CVE-2023-4047: Potential permissions request bypass via clickjacking. A rogue page could tempt you to click on a carefully-placed item, such as an entirely innocent-looking button, only for the input to register as a click in a security dialog that didn’t pop up in time for you to see. Potentially risky permissions, such as accessing your location, sending notifications, activating the microphone and so on, are not supposed to be granted until you’ve seen and acted on a clear warning from the browser itself.
- CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions. DOM is short for document object model, and the DOMParser is the code that deconstructs the HTML in a web page that the browser is rendering for display, turning it into a big JavaScript data object in which all the individual components such as paragraphs, headings, images, table items and so on can be accessed and modified programmatically. Complex pages typically turn into large JavaScript structures that can take a lot of memory to figure out and then to store. Assume that a determined attacker could deliberately eat up memory by loading a number of large but innocent pages, and then predictably trigger a crash using a crafted HTML file that gets fetched at just the wrong time.
- CVE-2023-4050: Stack buffer overflow in StorageManager. This is an old-school stack overflow that doesn’t get detected in time by Firefox itself, and could therefore lead to a crash instead of a controlled shutdown. All crashes caused by the incorrect flow of execution in a program (such as jumping to any invalid memory address X) should be considered potentially exploitable. Assume that a determined attacker could figure out how to influence the value of X, and thereby gain at least some measure of malevolent control over the crash.
- CVE-2023-4051: Full screen notification obscured by file open dialog. Fullscreen mode is always a bit risky, because it gives the web page you’re viewing precise control over every pixel on the screen. This means that there are no parts of the display that can be modified only by the browser itself or only by the operating system. That’s why browsers aim to warn you before giving over the whole display to a web page, so you know that popups that look like official browser or operating system dialogs might be no such thing.
- CVE-2023-4057 and CVE-2023-4058: Memory safety bugs fixed in various Firefox versions. As usual, even though none of these bugs was obviously exploitable, and they were fixed proactively anyway, Mozilla has rated them “High” and given its ever-frank assessment that “we presume that with enough effort some of these could have been exploited to run arbitrary code.”
What to do?
The new versions you are looking for after updating are:
- Firefox 116 if you’re on the latest version.
- Firefox ESR 115.1 if you are a user of the Extended Support Release, which includes security patches but doesn’t add new features. (Adding 115+1 from the ESR version number tells you that this release aligns with Firefox 116 for security fixes, even though its feature set aligns with Firefox 115.)
- Thunderbird 115.1 if you use Mozilla’s email software, which includes the Firefox web browsing code for rendering HTML emails and viewing emailed web links.
Head to Firefox -> About Firefox if you have a Mac, or Help -> About Firefox on other platforms.
Dont forget, if you use one of the BSDs or a Linux distro, that your Firefox release might be managed by the distro itself, so check with your provider for updates.