The Mozilla team has had a productive few days, having issued an update to Firefox only a day after releasing the web browser’s latest major version that plugged eight CVE-listed security holes.
First, Tuesday saw the rollout of Firefox 77.0 into the stable channel for Windows, macOS and Linux. The new version was shipped with a bunch of new features and improvements, as well as important security fixes.
Five vulnerabilities received a high-severity score, with three of them allowing bad actors to run arbitrary code on vulnerable installations. In Mozilla’s own words, a flaw classified as high in severity “can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions”.
Some of those vulnerabilities also affected the browser’s ESR version, which is intended for large organizations and for which a new build (ESR 68.9) was also released on Tuesday. The update round also plugged two flaws rated as moderate and one low-risk vulnerability.
The full list of the CVEs – uncovered by an assortment of experts, including Mozilla’s own developers, academics from Finland, and independent researchers – is available in Mozilla’s latest security advisories for Firefox and for Firefox ESR, respectively. Importantly, as of the time of releasing the update none of the flaws had been spotted as being abused in the wild.
D’oh
A day went by and another Firefox version – 77.0.1 – was released for all supported desktop platforms, whereas the rollout of Firefox 77.0 was halted. This time, the update addressed an issue in the browser’s use of DNS over HTTPS (DoH), a protocol that the browser maker first enabled by default for US-based users a little over three months ago. DoH is intended to enhance people’s privacy and security on the web, with other major browsers such as Chrome and Edge moving in the same direction.
The bug was causing somewhat of a distributed denial-of-service (DDoS) condition. In the developers' words, it seemed to be "effectively DDoS'ing NextDNS, one of our DNS over HTTPs providers".
“We need to be able to roll this out gradually so that we don't overload any providers. Even the dry-run involves up to 10 requests per client, which can be very significant when the entire release population updates,” per Bugzilla, Mozilla's bug tracking tool. According to the changelog, the update “disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way”.
Firefox – which commands a 9-percent desktop browser market share – is known for shipping security updates at a rather rapid clip and not only when faced with a major security issue. Speaking of which, early this year Mozilla rushed out a patch for a zero-day only a day after shipping out a new major version of its browser.
Unless you have already applied the latest updates, you would be well advised to check for them by navigating to the browser's Menu, then clicking on Help and About Firefox.