Firefox 80 Released With 10 Security Fixes And A Higher Version Number
Fixes for three "high", four "moderate" and three "low" impact security holes in Firefox is all the latest Firefox release has to offer beyond a new capability to "be set as the default system PDF viewer". The marginalized near-bankrupt Mozilla Corporation appears to be unable to put more than larger version numbers on the table after it was forced to fire 250 employees earlier this month.
written by 윤채경 (Yoon Chae-kyung). published 2020-08-27 - last edited 2020-08-28
It is quite ridiculous to see a release notes for a major, not minor, version of a big software product like Firefox list
""Firefox can now be set as the default system PDF viewer.""
as the only major new "feature". The three, two of which affect GNU/Linux, "high" impact security vulnerabilities are the only reason why the 4.26% of web browser users who use Firefox should upgrade. CVE-2020-15664 describes how the eval() function could be referenced from a
about:blank window in order to access the Firefox
InstallTrigger object. That trick could be used to prompt users to install an extension. CVE-2020-15670 covers several memory safety bugs in Firefox that could be used to corrupt memory and potentially run arbitrary code. The last high vulnerability security flaw fixed in Firefox 80, CVE-2020-15663, is Windows-specific. Earlier versions would run
updater.exe with administrative privileges.
updater.exe is only executed if it is signed by Mozilla but that will not stop an attacker from accomplishing evil by replacing
updater.exe with an old version riddled with security holes.
Firefox 80 does have something that could be of interest to GNU/Linux users which Mozilla didn't bother to put in the release notes: Experimental support for hardware video acceleration on X using VAAPI is include but not enabled. Two new settings named
media.ffmpeg.vaapi-drm-display.enabled are available under
about:config in this release. None of those options are enabled by default and they are not available in ▸ . About
about:support will not tell you if VAAPI is actually enabled or used or not if you flip those settings.
Firefox 80 could easily have been released as Firefox 79.0.1, there is no justification for calling this a major release. The only reason it got a major version bump is the monthly release schedule Mozilla decided on in September 2019, the Mozilla Corporation will simply announce a new "major" version towards the end of each month even if there is absolutely nothing new to release.
Mozilla is currently in a very tough spot. They were forced layoff 250 employees earlier this month following a 70 employee layoff in January. It is somewhat understandable that they are able to do less than they used to. That they are pushing new major version just because it's that "time of the month" again is not.