Firefox 74 Is Released With Several Vulnerability Fixes
The release notes for Firefox 74 are dull mostly and uninteresting. This is specially true if you use Linux. Firefox 74 can import bookmarks from the new Chromium-based Microsoft Edge browser on Windows and macOS, remove add-ons installed by applications in the add-on manager (about:addons) and there is a new "facebook container" feature for those that use Facebook regularly. The "Security Advisory" for Firefox 74 is far more interesting.
written by Öyvind Sæther. published 2020-03-13 - last edited 2020-03-13
The security advisory for Firefox 74 causally lists several "high" impact security vulnerabilities that were addressed in Firefox 74. Those include:
- CVE-2020-6805: Use-after-free when removing data about origins
- CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
- CVE-2020-6807: Use-after-free in cubeb during stream destruction
- CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
- CVE-2020-6815: Memory and script safety bugs fixed in Firefox 74
Most of the "high" impact vulnerabilities have to do with memory safety. The Firefox developers note that:
"these bugs showed evidence of memory corruption or escalation of privilege and we presume that with enough effort some of these could have been exploited to run arbitrary code."
There are 6 additional "moderate" and one "low" security vulnerability fixed in Firefox 74.
As for new features: There are some, but not many that are particularly interesting. Firefox 74 can import bookmarks from Microsoft's new Chromium-based Edge web browser on Windows and macOS. Microsoft promised a Linux version of the new Edge "at a later time" back in November 2019. Microsoft has not yet delivered on that promise so the ability to import bookmarks from Edge is not that interesting.
There is also a new "Facebook Container" feature in Firefox 74. That feature tries to prevent Facebook trackers on websites ("Like" buttons and similar) from connecting you to your Facebook account when you browse random websites. Facebook will still track you by IP unless you use a web garbage filtering extension like Ublock Origin with a social network blocklist.
Firefox 74 ditches support for TLS 1.0 and TLS 1.1. The Transport Layer Security protocol is used when you connect to websites using
https://. Most modern websites using https are using TLS version 1.2 or, in a minority of cases, 1.3. TLS 1.2 was defined in RFC 5246 in August 2008 and the latest version 1.3 was defined in RFC 8446 in August 2018. The older TLS 1.0 and 1.1 versions have some huge flaws and serious weaknesses which were addressed in the later versions. Firefox 74 will show a security warning if a website using
https:// is served using TLS 1.0 or 1.1. Users can still visit such sites by clicking a button. Very few sites on the Internet use older TLS versions so this is a practical non-issue.
The add-ons manager (
about:addons) will (finally) show add-ons installed by external applications in Firefox 74. That doesn't happen on GNU/Linux systems, but is nice that Windows and macOS users no longer have to go to the special
about:debugging so see all the Firefox extensions that have been installed by malware.
Firefox 74 can be acquired from mozilla.org but you are likely better off waiting until your favorite GNU/Linux distribution adds the new versions to their repositories. The security issues are serious, but there are no known exploits for them so they are not that big of a threat just yet and the new features are mostly a yawn. There is no compelling reason to manually download and install Firefox 74 so you might as well wait until your regular distributions update method provides you with the latest version.