Mozilla Patches a 17-Year Old Flaw And Other Bugs With The Release Of Firefox 68

Mozilla Firefox users once again have to update their systems to the latest browser version. This week, carrying major security updates, Mozilla has rolled out their Firefox 68 browser version. This version not only brings security fixes but also blocks cryptominers and fingerprinters,

Firefox 68 Patches Local Data Theft Bug

One of the major security fixes with Firefox 68 is related to over a decade old vulnerability highlighted once again recently. The vulnerability that made it to the news after Barak Tawily’s report remained known to Mozilla yet unpatched for around 17 years. The flaw could allow an attacker to steal files in the directory opening HTML files.

For the past 17 years, different researchers reported the same issue repeatedly to Mozilla. Nonetheless, it remained unpatched until Tawily publicly disclosed it.

Finally, Mozilla has now acknowledged the bug as CVE-2019-11730 (moderate severity) and released a patch for it. As stated in their advisory,

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server.

Though, they credited Luigi Gubello for the vulnerability for demonstrating the exploit through malicious HTML.

Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app’s predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

Other Security Fixes In Firefox

Apart from this major security fix, Mozilla also patched a number of other vulnerabilities targeting the Firefox browser. These include 4 high-severity vulnerabilities, 9 moderate severity flaws, and 5 low-severity bugs.

In addition, they also fixed some critical memory safety bugs CVE-2019-11710 and CVE-2019-11709, where the latter affected Firefox ESR as well. The patches for Firefox ESR rolled-out with version 60.8.

Better Security With Cryptomining And Fingerprinting Protection

Alongside fixing security bugs, Mozilla also introduced other security features with the new Firefox browser. They now give the users the control to block cryptominers and fingerprinters. While they already rolled-out this sort of content blocking with Firefox 67, they now have introduced separate settings controlling these features.

Users can find these options under the ‘Privacy & Security’ tab in ‘Custom’ settings.

Whereas they are present under ‘Strict’ settings option as default.

Regarding these changes, Firefox stated in their blog,

In some cases, blocking this content makes pages load faster, but can affect the page’s functionality. It’s easy to disable blocking on sites you trust.

Thus, users are now at liberty to manage these settings as per their preferences.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients