Firefox 82 Is Released With Four High-Impact Security Fixes

From LinuxReviews
Jump to navigationJump to search
Firefox-tan.png

Mozilla Firefox 82 is faster on websites using flex CSS layout, there's a new picture-in-picture button that you may or may not find annoying enough to disable and there's four high-impact and two medium-impact security fixes. There's no performance improvement in synthetic benchmarks.

written by 윤채경 (Yoon Chae-kyung). published 2020-10-21last edited 2020-10-21

Firefox 82 displaying flex layout.jpg
Mozilla Firefox 82 displaying a website using display: flex; CSS layout.

The latest version of the only viable web browser left that's not just a wrapper for Chromium and its Blink rendering engine is, according to the Mozilla Corporation who makes the Firefox web browser product, 20% faster on websites that use flexbox-based layouts. A lot of sites do since it's so convenient.

Mozilla is also claiming that restoring browser sessions is "17% quicker".

Performance

Mozilla's supposed improvements in Firefox 82 do not appear to translate into any notible performance-improvement in synthetic benchmarks. WebGL performance has not improved, Firefox is still far behind all the Chromium-based web browsers:

Mozilla Firefox 82 vs Other Web Browsers - Unity WebGL 2018.jpg

The "performance improvements" in Firefox 82 do not translate to a higher score in the Basemark Web benchmark:

Mozilla Firefox 82 vs Other Web Browsers - Basemark 3.jpg

Mozilla Firefox's score in the WebXprt 3 benchmark, the only benchmark where Firefox comes out on top, has not improved since Firefox 81 was released a mere month ago:

Mozilla Firefox 82 vs Other Web Browsers - WebXprt 3.jpg

The benchmarks don't really dispute that Firefox has made web pages using display: flex; faster, they probably have. A minor and very specific improvement like that wouldn't show up in these particular benchmarks.

New Picture-in-Picture Nag Button

The picture-in-picture feature has been re-vamped in Firefox 82. It has a "new look" so it's "easier for you to find and use the feature". And it's easier to "find" and see, a big Watch in Picture-in-Picture button appears if you hoover the mouse over any video.

Firefox 82 Picture-in-picture-button.jpg
New picture-in-picture button in Firefox 82.

The first obvious question you may ask regarding this new very prominent picture-in-picture button "feature" is probably: So how do I disable that big annoying text all over videos playing in Firefox?. Disabling it is possible and quite easy once you know how: Type about:config into the navigation bar and search for media.videocontrols.picture-in-picture.video-toggle.enabled and set it to false and there will be no more nagging about going to picture-in-picture mode in Firefox.

The other new features in Firefox 82 are for Windows and macOS users only. There's a new picture-in-picture short-cut on macOS (⌥ Option+⌘ Command+⇧ Shift+Right-bracket) and DirectComposition for hardware video decoding on Windows. The Mozilla Corporations is also claiming that opening a new window is 10% faster on Windows.

Oh, there is one more feature mentioned in the release-notes: "You can now explore new articles when you save a webpage to Pocket from the Firefox toolbar" if you haven't turned that blatant propaganda promotional tool off by setting extensions.pocket.enabled to false in the about:config settings manager for some reason.

The Security Fixes

There are four "high" impact security fixes and two "moderate" fixed in Firefox 82. The "high" impact ones are:

  • CVE-2020-15969: Use-after-free in usersctp
  • CVE-2020-15254: Undefined behavior in bounded channel of crossbeam rust crate
  • CVE-2020-15683: Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
  • CVE-2020-15684: Memory safety bugs fixed in Firefox 82

The last two refer to a list of six and four individual memory safety bugs. The "medium" impoact vulnerabilities are:

  • CVE-2020-15680: Presence of external protocol handlers could be determined through image tags
  • CVE-2020-15681: Multiple WASM threads may have overwritten each others' stub table entries

One lets an attacker find out if you have an extension with support for a protocol Mozilla doesn't and the second could be used to cause a potentially exploitable crash. That sounds like something that would be considered "high" impact but Mozilla doesn't seem to agree.

You can download the latest Firefox version from mozilla.org/en-US/firefox/all/ if you don't want to wait until your distribution makes it available. We recommend against it as Linux distributions tend to turn ship Firefox with a custom preferences profile (usually in /usr/lib64/firefox/browser/defaults/preferences/) with settings that are preferable to those Mozilla ship. Most distributions don't disable the "normandy" back-door the Mozilla Corporation has built into Mozilla Firefox so you will have to make sure to do that yourself by setting app.normandy.enabled to false in about:config.

5.00
(2 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.