This month’s scheduled Firefox launch is out, with the brand new 102.0 model patching 19 CVE-numbered bugs.
Regardless of the big variety of CVEs, the patches don’t embody any bugs already being exploited within the wild (recognized within the jargon as zero-days), and don’t embody any bugs labelled Crucial.
Maybe probably the most vital patch is the one for CVE-2022-34479, entitled: A popup window might be resized in a solution to overlay the handle bar with internet content material.
This bug permits a malicious web site to create a popup window after which resize it to overwrite the browser’s personal handle bar.
Happily, this handle bar spoofing bug solely applies to Firefox on Linux; on different working programs, the bug apparently can’t be triggered.
As you recognize, the browser’s personal visible elements, together with the menu bar, search bar, handle bar, safety alerts, HTTPS padlock icon and extra, are speculated to be shielded from manipulation by untrusted internet pages rendered by the browser.
These sacrosanct person interface elements are recognized within the jargon as chrome (from which Google’s browser will get its title, in case you had been questioning).
Browser chrome is off-limits to internet pages for apparent causes – to forestall bogus web sites from misrepresenting themselves as reliable.
Which means though phishing websites usually reproduce the look-and-feel of a authentic web site with uncanny precision, they aren’t supposed to have the ability to trick your browser into presenting them as in the event that they had been downloaded from a real URL.
Aspect-by-side view of a current rip-off concentrating on a South African financial institution
Picture-based RCEs
Intriguingly, this month’s fixes consists of two CVES which have the identical bug title, and that let the identical safety misbehaviour, though they’re in any other case unrelated and had been discovered by completely different bug-hunters.
CVE-2022-34482 and CVE-2022-34482 are each headlined: Drag and drop of malicious picture might have led to malicious executable and potential code execution.
Because the bug title suggests, these flaws imply that a picture file that you just save to your desktop by dragging-and dropping it from Firefox might find yourself saved to disk with an extension similar to .EXE as a substitute of with the extra harmless extension you had been anticipating, similar to .PNG or .JPG.
Provided that Home windows annoyingly (and wrongly, in our opinion), doesn’t present you file extensions by default, these Firefox bugs might result in you to belief the file you simply dropped onto your desktop, and due to this fact to open it with out ever being conscious of its true filename.
(In case you save the file by extra conventional means similar to Proper click on > Save Picture As…, the total filename, full with extension, is revealed.)
These bugs aren’t true distant code execution (RCE) vulnerabilities, on condition that an attacker wants to influence you to avoid wasting content material from an internet web page onto your laptop after which to open it up from there, however they do make it more likely that you’d launch a malicious file by mistake.
As an apart, we strongly suggest that you just inform Home windows to point out all file extensions, as a substitute of secretly suppressing them, by altering the File title extensions choice in File Explorer.
Fixes for Follina!
Final month’s Large Dangerous Home windows Bug was Follina, correctly often known as CVE-2022-30190.
Follina was a nasty code execution exploit whereby an attacker might ship you a booby-trapped Microsoft Workplace doc that linked to a URL beginning with the characters ms-msdt:.
That doc would then mechanically run PowerShell code of the attacker’s alternative, even when all you probably did was browse to the file in Explorer with the preview pane turned on.
Firefox has weighed in with extra mitigations of its personal by primarily “disowning” Microsoft’s proprietary URL schemes beginning with ms-msdt: and different probably dangerous names, in order that they not even ask you if you wish to course of the URL:
The
ms-msdt,search, andsearch-msprotocols ship content material to Microsoft functions, bypassing the browser, when a person accepts a immediate. These functions have had recognized vulnerabilities, exploited within the wild (though we all know of none exploited via Firefox), so on this launch Firefox has blocked these protocols from prompting the person to open them.
What to do?
Simply go to Assist > About Firefox to verify what model you’re on – you’re searching for 102.0.
In case you’re up-to-date then a popup will inform you so; if not, the popup will provide to begin the replace for you.
In case you or your organization has caught to the Firefox Prolonged Help Launch (ESR), which incorporates characteristic updates solely each few months however delivers safety updates each time wanted, you’re searching for ESR 91.11.
Keep in mind that ESR 91.11 denotes Firefox 91 with 11 updates’ value of safety fixes, and since 91+11 = 102, you’ll be able to simply inform that you just’re stage with the most recent mainstream model so far as safety patches are involved.
Linux and BSD customers who’ve put in Firefox through their distro might want to verify with their distro for the wanted replace.
