Mozilla has rolled out the latest version of their popular web browser Firefox. Marked Firefox 83, the browser comes with a patch for a zero-day bug along with other fixes. Also, the browser introduces the HTTPS-Only mode.
Mozilla Addressed FreeType Zero-day With Fix
With Firefox 83, Mozilla has released a fix for the FreeType zero-day vulnerability that Google researchers highlighted earlier.
Google’s Project Zero Team disclosed the memory corruption bug in the FreeType font rendering library (CVE-2020-15999). While they disclosed the bug as a Chrome zero-day, they explained that any other apps using this library remain vulnerable.
Hence, with the latest Firefox release, Mozilla has addressed this bug with a fix.
As elaborated in their advisory, the bug did not affect Firefox in the same way as Google Chrome.
While Project Zero did discover instances of this vulnerability being exploited in the wild against Chrome, in Firefox this vulnerability is only triggerable if a rarely-used, hidden preference is toggled, and only affected Linux and Android operating systems. Other operating systems are unaffected; and Linux and Android are unaffected in the default configuration.
Besides, Mozilla also fixed numerous other high-severity and moderate severity bugs as well. These also include some memory safety bugs (CVE-2020-26968 and CVE-2020-26969), exploiting which could allow code execution. The vendors have listed all the bug fixes in an advisory.
Firefox 83 Comes With HTTPS-Only Mode
Besides bug fixes, Mozilla has also released feature upgrades, the most prominent being the HTTPS-only mode.
Announcing the feature in this blog post, Mozilla revealed that the HTTPS-Only mode will let users connect to secure websites only.
This doesn’t mean that Firefox won’t allow HTTP only sites. Rather it simply addresses the common issue where a browser may continue to connect to the insecure version of a site, despite that the secure version would also exist.
The majority of websites already support HTTPS, and those that don’t are increasingly uncommon. Regrettably, websites often fall back to using the insecure and outdated HTTP protocol. Additionally, the web contains millions of legacy HTTP links that point to insecure versions of websites. When you click on such a link, browsers traditionally connect to the website using the insecure HTTP protocol.
Hence, with this feature, Firefox strives to give more control to users about visiting secure websites only.
Users can find this setting via the browser settings. Follow this path to reach the option: Menu > Options > Privacy & Security. Then scroll down to find “HTTPS-Only Mode”.
By default, this feature is disabled to avoid any inconvenience to the users. But they can certainly choose any of the three setting options as per their browsing preferences.