The Mozilla developers have not only corrected many vulnerabilities in the Firefox 112 web browser, but have also incorporated functional improvements. In addition, Firefox ESR and Thunderbird are now available in version 102.10, which also close security gaps.
Firefox 112: Improved features
The Mozilla developers mention in the Release notes some improvements, which Firefox 112 brings. For example, they added that right-clicking on a password form field can now reveal the password. The keyboard shortcut Strg+Shift+T can now not only restore recently closed tabs, but also reopen the last session if there are no more closed tabs in the current session.
The “middle-click”, usually with the mouse wheel, on an entry in the tab list of the tab bar now closes the corresponding tab. Software-decoded videos on Intel GPUs are now displayed via an overlay – this should improve the quality of the scaling and reduce the GPU load. The developers have equipped the Enhanced Tracking Protection (ETP) with other known tracking parameters, which it removes when URLs are called.
In addition, the Mozilla programmers mention the change that the U2F JavaScript API is now disabled by default. However, the U2F protocol can still be used using the WebAuthn API. The setting parameter security.webauth.u2f however, allows the API to be re-enabled if necessary.
Overall, the programmers close 22 security gaps in the updated version of the Firefox web browser. Of these, ten are classified as high-risk, eight are classified as medium-risk and another four are classified as low-risk. Some are limited to certain operating systems: Under Android, for example, a full-screen notification could be disguised in various ways and thus irritated users or presented with fake content (CVE-2023-29534, risk “hoch“). Two other ways to do this existed on all supported operating systems (CVE-2023-29533, “hoch”).
On macOS, attackers could possibly have abused memory access outside of the intended limits in WebGL to inject and execute malicious code (CVE-2023-29531, “hoch”). The Mozilla Maintenance Service Write-Lock could only be circumvented on Windows, which allowed attackers to foist manipulated update files on users (CVE-2023-29532, “hoch”).
Firefox Extended Stable Release und Thunderbird
Firefox ESR 102.10 closes seven vulnerabilities with a high risk rating, five with a medium threat rating, and one with a low risk rating. The Release notes for the mail program Thunderbird are very brief this time. Thunderbird now chooses encryption with S/MIME for new messages if this has been configured and OpenPGP is not set up. Also had calendar events in the time zone America/Mexico_City mistakenly applied daylight saving time. In addition, the version is poetic laut Security-Advisory eight high-risk vulnerabilities, six medium-risk vulnerabilities, and one low-risk leak.
The additional high-risk vulnerability compared to Firefox ESR stems from a faulty S/MIME certificate check that did not test whether the certificates were revoked. The medium-risk vulnerability, which Thunderbird has more than Firefox ESR, stems from a denial of service situation that could occur when processing carefully crafted OpenPGP messages.
By clicking on the browser menu – i.e. the symbol with the three stacked lines to the right of the address bar – and continuing via “Help” – “About Firefox” (or “About Thunderbird”), users can find out which version they are currently using and start it if necessary, the update.
(Bild: Screenshot/dmk)
You can find out whether the current version is already installed by clicking on the browser menu – i.e. the symbol with the three superimposed lines on the right of the address bar – and then going on via “Help” – “About Firefox” (or “About Thunderbird” ) find out. This displays the version currently in use and starts the update if available, after which the dialog then offers the necessary browser restart.
When Firefox 111 was released about a month ago, the developers closed 13 security gaps, some of which were high-risk.
(dmk)
