-
Posts
2,544 -
Joined
-
Last visited
Posts posted by trium
-
-
ff v91.4.0 esr
07. dec 2021
Fixed
-
Various security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 91.4.0
- Announced December 7, 2021
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 91.4
#CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- Reporter Sunwoo Kim and Youngmin Kim of SNU CompSec Lab
- Impact high
Description
Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.
References
#CVE-2021-43537: Heap buffer overflow when using structured clone
- Reporter bo13oy of Cyber Kunlun Lab
- Impact high
Description
An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.
References
#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- Reporter Irvan Kurniawan (@sourc7)
- Impact high
Description
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
References
#CVE-2021-43539: GC rooting failure when calling wasm instance methods
- Reporter Asumu Takikawa and Ioanna Dimitriou
- Impact high
Description
Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.
References
#CVE-2021-43541: External protocol handler parameters were unescaped
- Reporter chriscla
- Impact moderate
Description
When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.
References
#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- Reporter Raphael Smolik
- Impact moderate
Description
Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.
References
#CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- Reporter Armin Ebert
- Impact moderate
Description
Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.
References
#CVE-2021-43545: Denial of Service when using the Location API in a loop
- Reporter Paul Zühlcke
- Impact low
Description
Using the Location API in a loop could have caused severe application hangs and crashes.
References
#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Reporter Daniel Veditz
- Impact low
Description
It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
References
#MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Reporter Mozilla developers and community
- Impact high
Description
Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94 and Firefox ESR 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v95.0
07. dec 2021
New
-
RLBox — a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries — is now enabled on all platforms.
-
Good news! You can now download Firefox from the Microsoft Store on Windows 10 and Windows 11 platforms.
-
We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.
-
We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
-
You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
-
To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.
Fixed
-
After starting Firefox, users of the JAWS screen reader and ZoomText magnifier will no longer need to switch applications in order to access Firefox.
-
You’ll find the state of controls using the ARIA switch role is now correctly reported by Mac OS VoiceOver.
-
You’ll see a faster content process startup on macOS.
-
We’ve also made memory allocator improvements.
-
And we’ve improved page load performance by speculatively compiling JavaScript ahead of time.
-
Various security fixes
Changed
-
We’ve added a User Agent override for Slack.com, which allows Firefox users to use more Call features and have access to Huddles.
Enterprise
-
Various bug fixes and new policies have been implemented in this latest version of Firefox.
Developer
unresolved
-
On macOS command-clicking links in Gmail still does not open a new tab. Workaround: you can click links in Gmail without pressing command, which will still open a new tab.
-
-
ff v94.0.2
22. nov 2021
Fixed
-
Improved hangs experienced by users of assistive technology such as NVDA when installing Firefox through the Microsoft Store (bug 1736742)
-
Resolved general instability/crashes on Linux caused by a file descriptor leak when backgrounding tabs using WebGL (bug 1741997)
Changed
-
Updated preference design for Firefox Suggest for improved clarity.
-
-
perhaps the virtualization option at the bios is not activated?
-
I hope that w11 works without the tpm chip an "directx 33 + wddm 7" version. ;-)
At the moment ill stay with 8.1
-
I use also ff esr - i dont jump to ff 91.x, i stay with ff 78.15.
I mean also like andavari that the version jumps brings to many visual changes and new features that u never use and blow up firefox with "features". Perhaps to more google look a like contest instead mozilla goes its own way as in the past (time before google chrome). I dont want an google chrome "clone" called firefox. ;-)
-
:-) the one or other unnecessary equipment...
for downloading older versions:
-
ff v91.3.0 esr
02. nov 2021
Fixed
-
Various stability, functionality, and security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 91.3
- Announced November 2, 2021
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 91.3
#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
- Reporter Armin Ebert
- Impact high
Description
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
References
#CVE-2021-38504: Use-after-free in file picker dialog
- Reporter Irvan Kurniawan
- Impact high
Description
When interacting with an HTML input element's file picker dialog with
webkitdirectory
set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.References
#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
- Reporter Sergey Galich
- Impact high
Description
Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.References
#CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
- Reporter Irvan Kurniawan
- Impact high
Description
Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
References
#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
- Reporter Takeshi Terada
- Impact high
Description
The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
References
#MOZ-2021-0008: Use-after-free in HTTP2 Session object
- Reporter Julien Cristau
- Impact high
Description
A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
Note: This issue is pending a CVE assignment and will be updated when available.References
#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
- Reporter Raphael
- Impact moderate
Description
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
References
#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
- Reporter Ademar Nowasky Junior
- Impact moderate
Description
Due to an unusual sequence of attacker-controlled events, a Javascript
alert()
dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.References
#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
- Reporter houjingyi647
- Impact moderate
Description
The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.References
#MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
- Reporter Mozilla developers
- Impact high
Description
Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Note: This issue is pending a CVE assignment and will be updated when available.References
-
-
ff v94.0.1
04. nov 2021
Fixed
-
Fixed browser hangs when viewing fullscreen videos on macOS 10.12 (bug 1737998)
-
-
ff v94.0
02. nov 2021
New
-
With 94, you’ll find a selection of six fun seasonal Colorways (available for a limited time only). Now you can find a color to suit (or lift) your every mood.
Fun fact: Did you know we have more daily users with color themes than dark or Alpenglow on Beta? With Firefox 89, 32% of users clicked through to customize their color theme. And that was just on the first day! We decided to introduce these new Colorways to give our users more to love. -
Firefox macOS now uses Apple's low power mode for fullscreen video on sites such as YouTube and Twitch. This meaningfully extends battery life in long viewing sessions. Now your kids can find out what the fox says on a loop without you ever missing a beat…
-
With this release, power users can use about:unloads to release system resources by manually unloading tabs without closing them.
-
On Windows, there will now be fewer interruptions because Firefox won’t prompt you for updates. Instead, a background agent will download and install updates even if Firefox is closed.
-
And on Linux, we’ve improved WebGL performance and reduced power consumption for many users.
-
To better protect all Firefox users against side-channel attacks such as Spectre, we’re introducing Site Isolation. It will be rolled out to Firefox 94 users over the next few weeks. We’ve got your back...errr...side!
-
We’re rolling out the Firefox Multi-Account Containers extension with Mozilla VPN integration. This lets you use a different server location for each container.
-
Firefox no longer warns you by default when you exit the browser or close a window using a menu, button, or three-key command. This should cut back on unwelcome notifications which is always nice--however, if you prefer a bit of notice, you’ll still have full control over the quit/close modal behavior. All warnings can be managed within Firefox Settings. No worries! (More details)
-
And now, Firefox supports the new Snap Layouts menus when running on Windows 11.
Fixed-
We’ve reduced the overhead of using performance.mark() and performance.measure() APIs with a large set of performance entries.
-
Plus, we’ve modified paint suppression during load to greatly improve warmload performance in Site Isolation mode.
-
You’ll also notice a small reduction in Javascript memory usage.
-
With this release, you’ll notice faster Javascript property enumeration as well.
-
We’ve also implemented better scheduling of garbage collection which has improved some pageload benchmarks.
-
This release also sees reduced CPU usage during socket polling for HTTPS connections.
-
Additionally, you’ll notice faster storage initialization.
-
We’ve also improved cold startup by reducing main thread I/O.
-
Plus, closing devtools now reclaims more memory than ever before.
-
And we’ve improved pageload (especially with Site Isolation mode) by setting a higher priority for loading and displaying images.
-
Various security fixes
Enterprise
-
Enterprise users now have more control over Firefox deployments with the availability of our MSIX package on Windows platforms.
-
You’ll also notice various bug fixes and new policies have been implemented in this latest version of Firefox. See more details in the Firefox for Enterprise 94 Release Notes.
Developer
-
-
-
-
for example
seagate barracuda 3,5 zoll with 2 tb (st2000dm005) have 256 mb drive cache
seagate barracuda 2,5 zoll with 0,5 tb (st500lm030) have 128 mb drive cache
-
perhaps the detecting methode of the cache size is not up to date at defraggler and speccy.
seagate use a optimized cache procedure for more read/write speed called mtc.
with western digital i dont know.
-
On 29/10/2021 at 15:21, benherrmann said:
Seagate
perhaps the right signalword...
seagate have perhaps much larger drive-cache as the standard (32 or 64 mb). i dont think that defraggler or speccy (long time ago for updates) can idendifying this as hdd with such a great cache.
if you have the exact type/name? or take a look at the homepages -> there are listed the drives and the inbuild cache-sizes
-
im on ff v78 esr :-) lucky to havent trusted partner(s) - i hope
-
i mean
05 + c4
-
ff v91.2.0 esr
05. october 2021
Fixed
-
Various stability, functionality, and security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 91.2
- Announced October 5, 2021
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 91.2
#CVE-2021-38496: Use-after-free in MessageTask
- Reporter Yangkang of 360 ATA Team
- Impact high
Description
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
References
#CVE-2021-38497: Validation message could have been overlaid on another origin
- Reporter Irvan Kurniawan
- Impact moderate
Description
Through use of
reportValidity()
andwindow.open()
, a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.References
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
- Reporter Yangkang of 360 ATA Team
- Impact moderate
Description
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash.
References
#CVE-2021-32810: Data race in crossbeam-deque
- Reporter Maor Kleinberger
- Impact moderate
Description
In the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak.
References
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
- Reporter Mozilla developers
- Impact high
Description
Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
#CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Reporter Mozilla developers
- Impact high
Description
Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v78.15.0 esr
05. october 2021
Fixed
-
Various stability, functionality, and security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 78.15
- Announced October 5, 2021
- Impact high
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 78.15
#CVE-2021-38496: Use-after-free in MessageTask
- Reporter Yangkang of 360 ATA Team
- Impact high
Description
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
References
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
- Reporter Mozilla developers
- Impact high
Description
Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v93.0
05. october 2021
New
-
Firefox now supports the new AVIF image format, which is based on the modern and royalty free AV1 video codec. It offers significant bandwidth savings for sites compared to existing image formats. It also supports transparency and other advanced features.
-
Firefox PDF viewer now supports filling more forms (XFA-based forms, used by multiple governments and banks). Learn more.
-
When available system memory is critically low, Firefox on Windows will automatically unload tabs based on their last access time, memory usage, and other attributes. This should help reduce Firefox out-of-memory crashes. Switching to an unloaded tab automatically reloads it.
-
To prevent session loss for macOS users who are running Firefox from a mounted .dmg file, they’ll now be prompted to finish installation. This permission prompt only appears the first time these users run Firefox on their computer.
-
Firefox now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads. Learn more and see where to find downloads in Firefox.
-
Improved web compatibility for privacy protections with SmartBlock 3.0. Learn more
-
Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing. Learn more
-
Introducing Firefox Suggest, a faster way to navigate the web. Learn more about the experience and locale-specific features.
Fixed
-
The VoiceOver screen reader now correctly reports checkable items in accessible tree controls as checked or unchecked.
-
The Orca screen reader now works correctly with Firefox, no longer requiring users to switch to another application after starting Firefox.
-
Various security fixes
Changed
-
TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can only be enabled when deprecated versions of TLS are also enabled. Learn more.
-
The download panel now follows the Firefox visual styles.
Enterprise
-
Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 93 Release Notes.
Developer
Web Platform
-
The UI for <input type="datetime-local"> has been implemented.
-
-
ff v92.0.1
23. sept 2021
Fixed
-
Fixes an issue where audio playback was not working on some Linux systems (bug 1730499)
-
Fixes issues with the findbar close button on different operating systems (bug 1728368)
-
-
ff v91.1.0 esr
07. september 2021
Fixed
-
Various stability, functionality, and security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 91.1
- Announced September 7, 2021
- Impact low
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 91.1
#CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
- Reporter James Lee
- Impact moderate
Description
When delegating navigations to the operating system, Firefox would accept the
mk
scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode.
This bug only affects Firefox for Windows. Other operating systems are unaffected.References
#CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
- Reporter Mozilla developers and community
- Impact high
Description
Mozilla developers Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 91 and Firefox ESR 91.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v78.14.0 esr
07. september 2021
Fixed
-
Various stability, functionality, and security fixes
QuoteSecurity Vulnerabilities fixed in Firefox ESR 78.14
- Announced September 7, 2021
- Impact moderate
- Products Firefox ESR
- Fixed in
-
- Firefox ESR 78.14
#CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
- Reporter James Lee
- Impact moderate
Description
When delegating navigations to the operating system, Firefox would accept the
mk
scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode.
This bug only affects Firefox for Windows. Other operating systems are unaffected.References
#CVE-2021-38493: Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and Firefox ESR 91.1
- Reporter Mozilla developers and community
- Impact high
Description
Mozilla developers Tyson Smith and Gabriele Svelto reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
-
-
ff v92.0
07. september 2021
New
-
More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
-
Full-range color levels are now supported for video playback on many systems.
-
Mac users can now access the macOS share options from the Firefox File menu.
-
Support for images containing ICC v4 profiles is enabled on macOS.
Fixed
-
Firefox performance with screen readers and other accessibility tools is no longer severely degraded if Mozilla Thunderbird is installed or updated after Firefox.
-
macOS VoiceOver now correctly reports buttons and links marked as ‘expanded’ using the aria-expanded attribute.
-
An open alert in a tab no longer causes performance issues in other tabs using the same process.
-
Various security fixes
Changed
-
The bookmark toolbar menus on macOS now follow Firefox visual styles.
-
Certificate error pages have been redesigned for a better user experience.
-
Continuing work to restructure Firefox’s JavaScript memory management to be more performant and use less memory.
Enterprise
-
Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 92 Release Notes.
Developer
-
The Firefox/Mozilla Thread
in Software
Posted
ff v95.0.1
16. dec 2021
Fixed
Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bug 1745600)
Fix for a WebRender crash on some Linux/X11 systems (bug 1741956)
Fix for a frequent Windows shutdown crash (bug 1738984)
Fix websites contrast issues for some Linux users with Dark mode set at OS level (bug 1740518)