Firefox 71 Released With Built-In MP3 Decoding, 12 Security Fixes and Some Breakage
It's been a while since the patents on the long-outdated lossy-compressed MP3 audio file format expired. This means that free software projects based in countries where software patents is a thing can include the codec and the latest version of Firefox finally does. There's also a new re-designed about:config page where some of the configuration options who once made Firefox a great browser remain available.
written by 林慧 (Wai Lin). published 2019-12-08 - last edited 2019-12-11
Firefox 71 with a WJSN theme.
Memory Safety Fixes and Other Resolved Security Problems
- CVE-2019-11756: Use-after-free of SFTKSession object
- CVE-2019-17008: Use-after-free in worker destruction
- CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code
- CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher
- CVE-2019-17014: Dragging and dropping a cross-origin resource, incorrectly loaded as an image, could result in information disclosure
- CVE-2019-17009: Updater temporary files accessible to unprivileged processes
- CVE-2019-17010: Use-after-free when performing device orientation checks
- CVE-2019-17005: Buffer overflow in plain text serializer
- CVE-2019-17011: Use-after-free when retrieving a document in antitracking
- CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
- CVE-2019-17013: Memory safety bugs fixed in Firefox 71
The CVE-2019-17012 and CVE-2019-17013 stand out as interesting. They involve a number of memory-related fixes and this is part of their description:
"Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
A slightly more detailed description of the above problems with previous Firefox versions can be read in Mozilla Foundation Security Advisory 2019-36.
Built-in MP3 Decoding
Some websites are still using the outdated MP3 format for podcasts and things like that. Firefox has been able to MP3 audio using system libraries since forever. Firefox can now decode MP3 files all on it's own as of this release. It does come a bit late, most of the Internet moved on to either the free Opus audio format or the proprietary AAC format long ago.
Firefox 71 has a new "kiosk mode" for Windows only which may be useful if you want to run Firefox pointed at a captive intranet web portal on a special-purpose device This is a new locked-down full-screen operating mode. Switching to and from fullscreen with F11 does not work in this mode. The right-click context menu is disabled and so is everything else.
Mozilla's "Kiosk mode" web page describes the new Kiosk mode as "Available on Windows". It's activated by launching Firefox with a
-kiosk option. This option does work on the GNU/Linux version, the
-kiosk option does launch a basically useless Firefox full-screen. There's no context menu, no other menus, no toolbar, no nothing, just whatever web-page it's set to load by default and that's it.
The potential use-cases for the "Kiosk mode" seem limited to specially designed intranet websites with no external links. The next user is stuck where the previous left off with no means of searching, clicking a home button or anything like that.
New HTML5-based "about:config"
The special Firefox page
about:config has been re-designed in HTML5. The new design has buttons which either toggling boolean values or make the value next to it editable.
A Not Entirely Problem-Free Upgrade
The WebAssembly portion of the Unity Browser Benchmark, which works fine in previous Firefox versions and current versions of other browsers, throws an error in Firefox 71. It may appear that it's a problem with the benchmark - but it's Firefox 71. It works with other browsers and it works with previous Firefox versions. That makes it a Firefox problem.
The JetStream2 benchmark will also refuse to finish in Firefox 71. It just aborts.
We have no idea if these problems translates to problems with real-world games and applications. It does mean that it will be hard to compare Firefox 71 to other browsers using the synthetic benchmarks we usually run.
It's Coming, You Can Not Stop It
Ubuntu's already pushed Firefox 71 to all their supported releases (Ubuntu Eoan Ermine 19.10, Ubuntu Disco Dingo 19.04 and Ubuntu Bionic Beaver 18.04 LTS). Fedora has pushed Firefox 71 to their "updates-testing" repository. The other major GNU/Linux distributions will follow suit shortly. They always do. You won't have to do anything to get the new release in a timely fashion if you have the
firefox package installed, it will be updated automatically the next time you update if you are using Ubuntu and you will get it within a week or two if you are using another GNU/Linux distribution.
Mozilla's own release announcement has their story as to what the high-lights in this release are.