Firefox 70 Is Released With 13 Security Vulnerabilities Fixed

From LinuxReviews
Jump to navigationJump to search

The latest version of the underdog web browser Firefox includes fixes for 13 CVE-numbered vulnerabilities. There is also new "social tracking" protection which adds to the anti-tracking features introduced in the previous versions and a new special about:protections which shows what kind of tracking Firefox has blocked lately. WebGL performance is slightly better when using the Basic rendering option; overall performance is essentially the same as previous versions.

Firefox 70 showing a typical modern website.

13 Security Holes Plugged

The Mozilla Corporation publishes a "release notes" page each time they release a new version of their "free software" wholly controlled by them Firefox web browser. This page, including the release notes page for Firefox 70, will typically brag about all the new features included in the latest and greatest version of their flagship product. They also publish another important page which they do not advertise when they ship browser updates. That page is titled "Security vulnerabilities fixed in - $BrowserVersion" and it is typically riddled with all kinds of scandalous admissions.

Firefox 70 contains fixes the following security problems which were present in previous versions:

  • CVE-2018-6156: Heap buffer overflow in FEC processing in WebRTC
  • CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
  • CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
  • CVE-2019-11759: Stack buffer overflow in HKDF output
  • CVE-2019-11760: Stack buffer overflow in WebRTC networking
  • CVE-2019-11761: Unintended access to a privileged JSONView object
  • CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
  • CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
  • CVE-2019-11765: Incorrect permissions could be granted to a website
  • CVE-2019-17000: CSP bypass using object tag with data: URI
  • CVE-2019-17001: CSP bypass using object tag when script-src 'none' is specified
  • CVE-2019-17002: upgrade-insecure-requests was not being honored for links dragged and dropped
  • CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

CVE-2019-11759 and CVE-2019-11764 sound specially problematic since those vulnerabilities could be (ab)used to run arbitrary code on the local computer. Several of the other vulnerabilities have the potential be used to read privileged parts of the memory Firefox has access to. These security issues alone are a good reason to upgrade to either Firefox 70 or Firefox ESR 68.2 if you are using the Firefox browser.

Still No Default WebRender on GNU/Linux Systems (and that is a good thing)

Mozilla has been working on a shiny new rendering system for Firefox called "WebRender". The new Firefox version enables it on some specific Windows systems (those with Intel GPUs and lower resolutions). Visiting about:support (type it into the address bar) on a brand new Firefox 70 profile on a GNU/Linux system reveals that "Compositing" is set to "Basic" and "HW_COMPOSITING" is listed as "blocked by env: Acceleration blocked by platform".

It is possible to visit the secret settings page about:config and change the key gfx.webrender.enabled to true. Restarting Firefox after changing this key will enable the WebRender. That it is enabled can be verified by re-visiting the special about:support page which will now show "Compositing" to be using the "WebRender" option. Enabling Webrender on GNU/Linux systems will decrease performance by a lot when it comes to OpenGL/WebGL performance. We do not recommend enabling it. Overall performance is essentially the same as with the stock Basic rendering but WebGl rendering will take a hit.


Firefox 70 performs about the same as previous versions in tests which try to simulate real-world use as well as synthetic JavaScript tests. The notable exception is WebGL performance which has improved when using stock "Basic" rendering. Switching to the fancy new WebRender engine decreases performance in the synthetic Unity 2018 Web Browser Benchmark which you can try here. Both rendering modes lag behind Chrome/Chromium when it comes to WebGL performance.

Firefox 70 performs better than previous versions in the Unity 2018 Web Browser Benchmark. It still lags quite far behind Chromium/Chrome.

The Basemark benchmark tries to emulate real-world performance. It does include some WebGL but not much. Firefox 70 is barely faster than previous Firefox versions in this test and lags Chromium/Chrome by a large margin.

JetStream 2 is a purely synthetic JavaScript test. Firefox 70 performs about the same as Firefox 68 did.

The WebXPRT 3 test from Intel-funded Principled Technologies is another test which tries to simulate real-world use. There is no difference between earlier versions of Firefox and the new version. Firefox does outperform Chromium/Chrome in this particular test.

Social Tracking Protection

The latest version of Firefox has built-in cross-site tracking protection by limiting access to cookies from large social media sites like Twitter and Facebook. This may be handy if you use those sites. However, it is important to remember that Firefox's Privacy Notice admits that:

"Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals)."

Firefox's own spying can be disabled in the sub-section Firefox Data Collection and Use in the Privacy & Security tab in it's settings menu.

Firefox will also send everything you type into the search-box to it's default search-provider Google. Changing to a Searx-instance or a privacy-respecting search-engine like DuckDuckGo is advisable.

The new version has a special page called about:protections where you can see what kind of trackers Firefox claims to have protected you from. You may also want to visit about:telemetry to see how much spying and tracking Firefox itself is doing. It's spying can be disabled but you have to do so; the telemetry is enabled by default.

Improved Password-Sharing/Leaking

Firefox has a built-in password management tool called Lockwise. The desktop version's Lockwise feature can now be used to upload your passwords to Mozilla so they can send a copy of your password to all your devices.

This feature is telling when it comes to Mozilla's agenda. The Firefox 70 release notes mention that one of the high-lights in the new versions are:

"More browser features to help you get the most out of Firefox products and services"

Some of us used to like Firefox for the privacy-aspects it used to have. The increasing amount of tie-ins with Mozilla's services is not a good thing. A web browser should not be asking you to have an account and "log in".

New Developer Features

Firefox 70 has some new features for web developers and a few of them are quite cool. There is a whole page called Firefox 70 for developers listing all the changes. Most the items listed on that page relate to small adjustments as to how Firefox interprets CSS elements. However, there are some actual worthwhile new features in the accessibility area. Firefox can now simulate how color-blind people experience a website.

Firefox 70 allows you to simulate how people who do not see red or green or blue experience a website.

Some web users have reduced eye-sight, some are color-blind and some are blind. The new tools that help ensure that nothing prevent the visually impaired from using a website are welcome and worth a look.

What's next

Mozilla will do monthly releases starting next year. Firefox 71 is scheduled to be released early December. There will be a new release every month throughout 2020. Extended Support Release (ESR) versions, on the other hand, will just see yearly releases with the next major version coming July 2020.