Firefox 72.0.1 Released With Fix For Actively Exploited Security Hole

From LinuxReviews
Jump to navigationJump to search
Firefox-tan.png

Mozilla Firefox 72.0.1 and ESR 68.4.1, released yesterday, have a fix for a problem in the JIT compiler which Mozilla advices they they "are aware of targeted attacks in the wild abusing this flaw". The releases came only a few days after Firefox 72 was released with floating video windows, notification popup blocking, more cross-site scripting protections and a very long list of fixed security vulnerabilities in previous Firefox versions.

written by 윤채경 (Yoon Chae-kyung)  2020-01-09 - last edited 2020-01-09. © CC BY

Firefox-70-vlive.jpg
Mozilla Firefox showing a typical website.

The list of security vulnerabilities fixed in Firefox 72 is very long, It includes three memory corruption issues, two if which could potentially be used to run arbitrary code in the browser, and six "moderate" security problems. None of those were described as being actively used in the wild. Firefox 72.0.1, released just days after 72, lists just one security issue which is describes as:

"Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw."

Mozilla Foundation Security Advisory 2020-03

It is unclear how many previous versions of Firefox are affected, Mozilla does not list specific Firefox versions when they issue security advisories - only "Products: Firefox, Firefox ESR".

No More System Notifications[edit]

Both Firefox and Chromium will, Linux systems, send messages from websites through the systems notification daemon (you can run notify-send "hello" to make libnotify use your desktops notification daemon say hello using a pop-up). Firefox 72 will no longer show these notifications. It will, instead, show a small bubble in the browsers address bar when a website asks it to show a desktop notification.

Picture In Picture Video On Mac And GNU/Linux[edit]

Firefox 71 got a new picture-in-picture video mode on Windows which became available on GNU/Linux and macOS too as of Firefox 72. You can use it on any web page with a video on it. All you have to do to use it on most sites is to right-click on a video and choose Picture-in-Picture to get a floating video window which sticks to the Firefox window across all tabs. Some websites will override the default context menu with its own when you right-click a video. YouTube is one of the bigger sites which does this. Two tricks can be used to get Firefox's own context menu when sites override it: You can hold ⇧ Shift and right-click or right-click twice.

Firefox is not very efficient at playing video on GNU/Linux, installing Youtube-dl and using mpv or SMPlayer when you want a floating video window on your desktop may be preference on all but the most powerful desktop computers.

Even More Enhanced "Enhanced" Tracking Protection[edit]

Firefox has had a feature called "Enhanced Privacy Protection" in several versions already. What it does can be checked on a special page called Privacy Protections which is available in the hamburger-menu, but not the regular menu. It can also be accessed by typing about:protections into the URL bar. Mozilla added fingerprint script blocking to this feature in Firefox 72.

Upgrading[edit]

Windows users can simply go to Help ▸ About Firefox and to make it update itself automatically.

GNU/Linux users will have to wait for distributions to roll out a new release with a fix for the actively-exploited JIT vulnerability in an unknown number of previous Firefox versions. Most distributions do not have Firefox 72 or 72.0.1 in their repositories as of today. Mozilla released a new ESR as well as a regular version to address JIT vulnerability. That is typically enough to make the larger GNU/Linux vendors stand up and take notice. It is therefore likely that either Firefox 72.0.1 or Firefox ESR 68.4.1 will be in your preferred or forced GNU/Linux distribution within a day or three.

0.00
(0 votes)


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.