Firefox 78 Is Released With 14 Security Fixes

From LinuxReviews
Jump to navigationJump to search
Firefox-tan.png

Eight "high", four "medium" and two "low" impact security vulnerabilities were fixed with the release of Mozilla Firefox 78. This version is both a regular release and a Extended Support Release (ESR) expected to receive minor bug fixes for a twelve months. There are a few new features in this release, none of which are particularly noteworthy.

written by 윤채경 (Yoon Chae-kyung). published 2020-07-04last edited 2020-07-04

Mozilla org 2020-07-03 15.jpg
mozilla.org website displayed in Chromium 83.0.4103.

The web page with the release notes for Firefox 78 was not easy to find behind all the blatantly racist activist propaganda on the front page at mozilla.org. The whole front page is currently filled with information about how "Black lives matter" and how there is, according to Mozilla, a need to "begin dismantling systemic racism". Clicking on their gigantic propaganda banner leads to a "pocket inside" page where Mozilla encourages for "Systemic change" by institutionalizing discrimination and racism against non-black people.

14 Security Holes Plugged

A long huge waste of time clicking around Mozilla's racist propaganda-riddled website eventually lead us to the Firefox 78 release notes page as well as the much more important Mozilla Foundation Security Advisory 2020-24 page where all the critical security vulnerabilities in previous versions that were addressed in this release are listed.

"CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing Reporter" would allow an attacker to use AppCache data from a top level directory instead of a sub-folder. The exact details for Bug 1586630 remain undisclosed.

"CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster" and "CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64" could be used to crash Firefox. The latter only affects ARM64 machines.

"CVE-2020-12418: Information disclosure due to manipulated URL object" was a rather serious security hole. Mozilla describes it as "Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.".

"CVE-2020-12419: Use-after-free in nsGlobalWindowInner" and "CVE-2020-12420: Use-After-Free when trying to connect to a STUN server" were vulnerabilities that could be used to cause memory corruption and potentially crash the browser.

The rest of the security holes in Mozilla Firefox versions prior to the 78 release are listed to be of either "moderate" or "low" impact.

New Features

Firefox-78.jpg
The "Protections Dashboard" in Firefox 78.

Recent versions of Firefox have a "Protections Dashboard" (available by typing about:protections in the address bar) where you can see things Firefox has supposedly protected you from. The dashboard will show social media trackers and, in the latest version, data breaches. "Breach alerts" are optional and you will have to sign up to Mozilla's "monitoring" service to get alerts. The link on the about:protections page for signing up includes a utm_source tracking code. The landing page will ask you to provide a e-mail address. You can only monitor a single e-mail address using that service.

Firefox 78 now features a "refresh" button to the Windows/macOS uninstaller "because we know people try to fix problems by reinstalling Firefox". It is important to be aware that Mozilla by "refresh" mean "remove most of your add-ons and settings except those they think are very important".

Firefox 78 will, according to the release notes, inhibit screensavers when calls using WebRTC are taking place. It is not clear if this applies to screensavers running on GNU/Linux or not.

Firefox users in the UK will get "Pocket recommendation" with "some of the best stories on the web" in new tabs as of this release. That feature can easily be turned off in the preferences under "Home" where "Homepage and new windows" and "New tabs" can be set to show a Blank page or a website or page with bookmarks instead of Firefox Home.

That's it when it comes to new features in Firefox 78. You can't really expect more after Mozilla fired most of the talented developers they had back in January].

A very minor 78.0.1 release came shortly after Firefox 78 to address an issue where previously installed search engines disappeared after upgrading.

Firefox 78.0.1 can be acquired from mozilla.org/en-US/firefox/new/. You are likely better off waiting for it to appear in your favorite GNU/Linux distributions repositories. Many already have it available and those who don't will shortly. This is a ESR so it will become available in the repositories of those distributions who opt for the extended support release branch.

0.00
(0 votes)


Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.