Firefox 80 Released With 10 Security Fixes And A Higher Version Number

From LinuxReviews
Jump to navigationJump to search
Firefox-tan.png

Fixes for three "high", four "moderate" and three "low" impact security holes in Firefox is all the latest Firefox release has to offer beyond a new capability to "be set as the default system PDF viewer". The marginalized near-bankrupt Mozilla Corporation appears to be unable to put more than larger version numbers on the table after it was forced to fire 250 employees earlier this month.

written by 윤채경 (Yoon Chae-kyung)  2020-08-27 - last edited 2020-08-28. © CC BY

Firefox showing empty wallet.jpg
Mozilla Firefox showing the Mozilla Corporation's financial reality after a decade of declining marketshare.

It is quite ridiculous to see a release notes for a major, not minor, version of a big software product like Firefox list

""Firefox can now be set as the default system PDF viewer.""

Firefox 80 release notes

as the only major new "feature". The three, two of which affect GNU/Linux, "high" impact security vulnerabilities are the only reason why the 4.26% of web browser users who use Firefox should upgrade. CVE-2020-15664 describes how the eval() function could be referenced from a about:blank window in order to access the Firefox InstallTrigger object. That trick could be used to prompt users to install an extension. CVE-2020-15670 covers several memory safety bugs in Firefox that could be used to corrupt memory and potentially run arbitrary code. The last high vulnerability security flaw fixed in Firefox 80, CVE-2020-15663, is Windows-specific. Earlier versions would run updater.exe with administrative privileges. updater.exe is only executed if it is signed by Mozilla but that will not stop an attacker from accomplishing evil by replacing updater.exe with an old version riddled with security holes.

Firefox 80 does have something that could be of interest to GNU/Linux users which Mozilla didn't bother to put in the release notes: Experimental support for hardware video acceleration on X using VAAPI is include but not enabled. Two new settings named media.ffmpeg.vaapi.enabled and media.ffmpeg.vaapi-drm-display.enabled are available under about:config in this release. None of those options are enabled by default and they are not available in Edit ▸ Preferences. About about:support will not tell you if VAAPI is actually enabled or used or not if you flip those settings.

Firefox 80 could easily have been released as Firefox 79.0.1, there is no justification for calling this a major release. The only reason it got a major version bump is the monthly release schedule Mozilla decided on in September 2019, the Mozilla Corporation will simply announce a new "major" version towards the end of each month even if there is absolutely nothing new to release.

StatCounter-browser-share-201001-202007.jpg
Mozilla Firefox went from being a fairly common web browser with a 31% market share in 2010 to being a almost irrelevant web browser with a mere 4.26% market share in August 2020.

Mozilla is currently in a very tough spot. They were forced layoff 250 employees earlier this month following a 70 employee layoff in January. It is somewhat understandable that they are able to do less than they used to. That they are pushing new major version just because it's that "time of the month" again is not.

4.67
(3 votes)


avatar

Jamiefoxx

16 months ago
Score 0++
I can give this browser a break since you can customize the heck out of the settings. I get it though, a lot of what Mozilla do make me scratch my head.
avatar

Chaekyung

16 months ago
Score 0++

Mozilla could start by being honest about their browser or live up to their marketing. Firefox is marketed as a privacy browser. Right now the front page of mozilla.org claims "Firefox products are designed to protect your privacy". It's also got some racist Marxist propaganda like "Black lives matter. Black voices matter."

Why do users have to manually set toolkit.telemetry.enabled to false if Firefox is a privacy browser, which is why they are marketing it as? Why are there whitelistTables with google-trackwhite-digest256 (and blacklist tables for facebook/linkedin/twitter)?

I also don't like how Firefox has a huge back-door called "studies". That name is misleading, is is actually a "feature" that allows Mozilla to push and install "extensions" that change functionality with zero user consent (you're not even informed). That's probably the primary reason why I simply don't trust Mozilla. At all.

Firefox is way slower than Chromium/Blink based browsers. That's a minus, but it is actually not as a big of a deal as telemetry and a backdoor.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.