Mozilla Patches a 17-Year Old Flaw And Other Bugs With The Release Of Firefox 68

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

Mozilla Firefox users once again have to update their systems to the latest browser version. This week, carrying major security updates, Mozilla has rolled out their Firefox 68 browser version. This version not only brings security fixes but also blocks cryptominers and fingerprinters,

Firefox 68 Patches Local Data Theft Bug

One of the major security fixes with Firefox 68 is related to over a decade old vulnerability highlighted once again recently. The vulnerability that made it to the news after Barak Tawily’s report remained known to Mozilla yet unpatched for around 17 years. The flaw could allow an attacker to steal files in the directory opening HTML files.

For the past 17 years, different researchers reported the same issue repeatedly to Mozilla. Nonetheless, it remained unpatched until Tawily publicly disclosed it.

Finally, Mozilla has now acknowledged the bug as CVE-2019-11730 (moderate severity) and released a patch for it. As stated in their advisory,

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server.

Though, they credited Luigi Gubello for the vulnerability for demonstrating the exploit through malicious HTML.

Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app’s predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

Other Security Fixes In Firefox

Apart from this major security fix, Mozilla also patched a number of other vulnerabilities targeting the Firefox browser. These include 4 high-severity vulnerabilities, 9 moderate severity flaws, and 5 low-severity bugs.

In addition, they also fixed some critical memory safety bugs CVE-2019-11710 and CVE-2019-11709, where the latter affected Firefox ESR as well. The patches for Firefox ESR rolled-out with version 60.8.

Better Security With Cryptomining And Fingerprinting Protection

Alongside fixing security bugs, Mozilla also introduced other security features with the new Firefox browser. They now give the users the control to block cryptominers and fingerprinters. While they already rolled-out this sort of content blocking with Firefox 67, they now have introduced separate settings controlling these features.

Users can find these options under the ‘Privacy & Security’ tab in ‘Custom’ settings.

Firefox 68 settings custom

Whereas they are present under ‘Strict’ settings option as default.

Firefox 68 settings strict

Regarding these changes, Firefox stated in their blog,

In some cases, blocking this content makes pages load faster, but can affect the page’s functionality. It’s easy to disable blocking on sites you trust.

Thus, users are now at liberty to manage these settings as per their preferences.

Let us know your thoughts in the comments.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!