Jump to content

trium

Experienced Members
 View Profile  See their activity

  • Posts

    2,544

  • Joined

  • Last visited

 Content Type 

Posts posted by trium

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v91.4.0 esr

    07. dec 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 91.4.0

    Announced December 7, 2021
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 91.4

    #CVE-2021-43536: URL leakage when navigating while executing asynchronous function

    Reporter Sunwoo Kim and Youngmin Kim of SNU CompSec Lab
    Impact high
    Description

    Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.

    References

    #CVE-2021-43537: Heap buffer overflow when using structured clone

    Reporter bo13oy of Cyber Kunlun Lab
    Impact high
    Description

    An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.

    References

    #CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both

    Reporter Irvan Kurniawan (@sourc7)
    Impact high
    Description

    By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.

    References

    #CVE-2021-43539: GC rooting failure when calling wasm instance methods

    Reporter Asumu Takikawa and Ioanna Dimitriou
    Impact high
    Description

    Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.

    References

    #CVE-2021-43541: External protocol handler parameters were unescaped

    Reporter chriscla
    Impact moderate
    Description

    When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.

    References

    #CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler

    Reporter Raphael Smolik
    Impact moderate
    Description

    Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.

    References

    #CVE-2021-43543: Bypass of CSP sandbox directive when embedding

    Reporter Armin Ebert
    Impact moderate
    Description

    Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.

    References

    #CVE-2021-43545: Denial of Service when using the Location API in a loop

    Reporter Paul Zühlcke
    Impact low
    Description

    Using the Location API in a loop could have caused severe application hangs and crashes.

    References

    #CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed

    Reporter Daniel Veditz
    Impact low
    Description

    It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.

    References

    #MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

    Reporter Mozilla developers and community
    Impact high
    Description

    Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94 and Firefox ESR 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v95.0

    07. dec 2021

    New

    • RLBox — a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries — is now enabled on all platforms.

    • Good news! You can now download Firefox from the Microsoft Store on Windows 10 and Windows 11 platforms.

      Simplified browser chrome and toolbar screenshot

    • We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.

    • We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.

    • You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.

    • To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.

    Fixed

    • After starting Firefox, users of the JAWS screen reader and ZoomText magnifier will no longer need to switch applications in order to access Firefox.

    • You’ll find the state of controls using the ARIA switch role is now correctly reported by Mac OS VoiceOver.

    • You’ll see a faster content process startup on macOS.

    • We’ve also made memory allocator improvements.

    • And we’ve improved page load performance by speculatively compiling JavaScript ahead of time.

    • Various security fixes

    Changed

    • We’ve added a User Agent override for Slack.com, which allows Firefox users to use more Call features and have access to Huddles.

    Enterprise

    unresolved

    • On macOS command-clicking links in Gmail still does not open a new tab. Workaround: you can click links in Gmail without pressing command, which will still open a new tab.

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v94.0.2

    22. nov 2021

    Fixed

    • Improved hangs experienced by users of assistive technology such as NVDA when installing Firefox through the Microsoft Store (bug 1736742)

    • Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bug 1741997)

    Changed

    • Updated preference design for Firefox Suggest for improved clarity.

    The Firefox/Mozilla Thread

    in Software

    Posted

    I use also ff esr - i dont jump to ff 91.x, i stay with ff 78.15.

    I mean also like andavari that the version jumps brings to many visual changes and new features that u never use and blow up firefox with "features". Perhaps to more google look a like contest  instead mozilla  goes its own way as in the past (time before google chrome). I dont want an google chrome "clone" called firefox. ;-) 

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v91.3.0 esr

    02. nov 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 91.3

    Announced November 2, 2021
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 91.3

    #CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets

    Reporter Armin Ebert
    Impact high
    Description

    The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.

    References

    #CVE-2021-38504: Use-after-free in file picker dialog

    Reporter Irvan Kurniawan
    Impact high
    Description

    When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.

    References

    #CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data

    Reporter Sergey Galich
    Impact high
    Description

    Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
    This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.

    References

    #CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning

    Reporter Irvan Kurniawan
    Impact high
    Description

    Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.

    References

    #CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports

    Reporter Takeshi Terada
    Impact high
    Description

    The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.

    References

    #MOZ-2021-0008: Use-after-free in HTTP2 Session object

    Reporter Julien Cristau
    Impact high
    Description

    A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
    Note: This issue is pending a CVE assignment and will be updated when available.

    References

    #CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing

    Reporter Raphael
    Impact moderate
    Description

    By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.

    References

    #CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain

    Reporter Ademar Nowasky Junior
    Impact moderate
    Description

    Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.

    References

    #CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS

    Reporter houjingyi647
    Impact moderate
    Description

    The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
    Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.

    References

    #MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

    Reporter Mozilla developers
    Impact high
    Description

    Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
    Note: This issue is pending a CVE assignment and will be updated when available.

    References

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v94.0

    02. nov 2021

    New

    • Colorways animated screenshot

      With 94, you’ll find a selection of six fun seasonal Colorways (available for a limited time only). Now you can find a color to suit (or lift) your every mood.
      Fun fact: Did you know we have more daily users with color themes than dark or Alpenglow on Beta? With Firefox 89, 32% of users clicked through to customize their color theme. And that was just on the first day! We decided to introduce these new Colorways to give our users more to love.

    • Firefox macOS now uses Apple's low power mode for fullscreen video on sites such as YouTube and Twitch. This meaningfully extends battery life in long viewing sessions. Now your kids can find out what the fox says on a loop without you ever missing a beat…

    • With this release, power users can use about:unloads to release system resources by manually unloading tabs without closing them.

    • On Windows, there will now be fewer interruptions because Firefox won’t prompt you for updates. Instead, a background agent will download and install updates even if Firefox is closed.

    • And on Linux, we’ve improved WebGL performance and reduced power consumption for many users.

    • To better protect all Firefox users against side-channel attacks such as Spectre, we’re introducing Site Isolation. It will be rolled out to Firefox 94 users over the next few weeks. We’ve got your back...errr...side!

    • We’re rolling out the Firefox Multi-Account Containers extension with Mozilla VPN integration. This lets you use a different server location for each container.

    • Firefox no longer warns you by default when you exit the browser or close a window using a menu, button, or three-key command. This should cut back on unwelcome notifications which is always nice--however, if you prefer a bit of notice, you’ll still have full control over the quit/close modal behavior. All warnings can be managed within Firefox Settings. No worries! (More details)

    • And now, Firefox supports the new Snap Layouts menus when running on Windows 11.

    Fixed

    • We’ve reduced the overhead of using performance.mark() and performance.measure() APIs with a large set of performance entries.

    • Plus, we’ve modified paint suppression during load to greatly improve warmload performance in Site Isolation mode.

    • You’ll also notice a small reduction in Javascript memory usage.

    • With this release, you’ll notice faster Javascript property enumeration as well.

    • We’ve also implemented better scheduling of garbage collection which has improved some pageload benchmarks.

    • This release also sees reduced CPU usage during socket polling for HTTPS connections.

    • Additionally, you’ll notice faster storage initialization.

    • We’ve also improved cold startup by reducing main thread I/O.

    • Plus, closing devtools now reclaims more memory than ever before.

    • And we’ve improved pageload (especially with Site Isolation mode) by setting a higher priority for loading and displaying images.

    • Various security fixes

    Enterprise

    • Enterprise users now have more control over Firefox deployments with the availability of our MSIX package on Windows platforms.

    • You’ll also notice various bug fixes and new policies have been implemented in this latest version of Firefox. See more details in the Firefox for Enterprise 94 Release Notes.

    Defraggler (Version 1.22.995) identifiying all of my drives as SSD?

    in Defraggler Bug Reporting

    Posted

    On 29/10/2021 at 15:21, benherrmann said:

    Seagate

    perhaps the right signalword...

    seagate have perhaps much larger drive-cache as the standard (32 or 64 mb). i dont think that defraggler or speccy (long time ago for updates) can idendifying this as hdd with such a great cache.

    if you have the exact type/name? or take a look at the homepages -> there are listed the drives and the inbuild cache-sizes

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v91.2.0 esr

    05. october 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 91.2

    Announced October 5, 2021
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 91.2

    #CVE-2021-38496: Use-after-free in MessageTask

    Reporter Yangkang of 360 ATA Team
    Impact high
    Description

    During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.

    References

    #CVE-2021-38497: Validation message could have been overlaid on another origin

    Reporter Irvan Kurniawan
    Impact moderate
    Description

    Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.

    References

    #CVE-2021-38498: Use-after-free of nsLanguageAtomService object

    Reporter Yangkang of 360 ATA Team
    Impact moderate
    Description

    During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash.

    References

    #CVE-2021-32810: Data race in crossbeam-deque

    Reporter Maor Kleinberger
    Impact moderate
    Description

    In the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak.

    References

    #CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

    Reporter Mozilla developers
    Impact high
    Description

    Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

    #CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

    Reporter Mozilla developers
    Impact high
    Description

    Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

     

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v78.15.0 esr

    05. october 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 78.15

    Announced October 5, 2021
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 78.15

    #CVE-2021-38496: Use-after-free in MessageTask

    Reporter Yangkang of 360 ATA Team
    Impact high
    Description

    During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.

    References

    #CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

    Reporter Mozilla developers
    Impact high
    Description

    Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

     

     

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v93.0

    05. october 2021

    New

    • Firefox now supports the new AVIF image format, which is based on the modern and royalty free AV1 video codec. It offers significant bandwidth savings for sites compared to existing image formats. It also supports transparency and other advanced features.

    • Firefox PDF viewer now supports filling more forms (XFA-based forms, used by multiple governments and banks). Learn more.

    • When available system memory is critically low, Firefox on Windows will automatically unload tabs based on their last access time, memory usage, and other attributes. This should help reduce Firefox out-of-memory crashes. Switching to an unloaded tab automatically reloads it.

    • To prevent session loss for macOS users who are running Firefox from a mounted .dmg file, they’ll now be prompted to finish installation. This permission prompt only appears the first time these users run Firefox on their computer.

    • Firefox now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads. Learn more and see where to find downloads in Firefox.

    • Improved web compatibility for privacy protections with SmartBlock 3.0. Learn more

    • Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing. Learn more

    • Introducing Firefox Suggest, a faster way to navigate the web. Learn more about the experience and locale-specific features.

    Fixed

    • The VoiceOver screen reader now correctly reports checkable items in accessible tree controls as checked or unchecked.

    • The Orca screen reader now works correctly with Firefox, no longer requiring users to switch to another application after starting Firefox.

    • Various security fixes

    Changed

    • TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled. Learn more.

    • The download panel now follows the Firefox visual styles.

    Enterprise

    Web Platform

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v91.1.0 esr

    07. september 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 91.1

    Announced September 7, 2021
    Impact low
    Products Firefox ESR
    Fixed in
    • Firefox ESR 91.1

    #CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer

    Reporter James Lee
    Impact moderate
    Description

    When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode.
    This bug only affects Firefox for Windows. Other operating systems are unaffected.

    References

    #CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1

    Reporter Mozilla developers and community
    Impact high
    Description

    Mozilla developers Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 91 and Firefox ESR 91.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

     

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v78.14.0 esr

    07. september 2021

    Fixed

    Quote

    Security Vulnerabilities fixed in Firefox ESR 78.14

    Announced September 7, 2021
    Impact moderate
    Products Firefox ESR
    Fixed in
    • Firefox ESR 78.14

    #CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer

    Reporter James Lee
    Impact moderate
    Description

    When delegating navigations to the operating system, Firefox would accept the mk scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode.
    This bug only affects Firefox for Windows. Other operating systems are unaffected.

    References

    #CVE-2021-38493: Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1

    Reporter Mozilla developers and community
    Impact high
    Description

    Mozilla developers Tyson Smith and Gabriele Svelto reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

     

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v92.0

    07. september 2021

    New

    • More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.

    • Full-range color levels are now supported for video playback on many systems.

    • Mac users can now access the macOS share options from the Firefox File menu.

    • Support for images containing ICC v4 profiles is enabled on macOS.

    Fixed

    • Firefox performance with screen readers and other accessibility tools is no longer severely degraded if Mozilla Thunderbird is installed or updated after Firefox.

    • macOS VoiceOver now correctly reports buttons and links marked as ‘expanded’ using the aria-expanded attribute.

    • An open alert in a tab no longer causes performance issues in other tabs using the same process.

    • Various security fixes

    Changed

    • The bookmark toolbar menus on macOS now follow Firefox visual styles.

    • Certificate error pages have been redesigned for a better user experience.

    • Continuing work to restructure Firefox’s JavaScript memory management to be more performant and use less memory.

    Enterprise

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept