Security News

Mozilla on Thursday announced some changes to its Firefox bug bounty program, including bigger rewards and its decision to accept duplicate reports in some cases. The organization has been running a bug bounty program since 2004, and between 2017 and 2019 it paid out nearly $1 million for roughly 350 vulnerabilities.

Most of the low-severity bugs were insufficient policy enforcements too, complemented by several inappropriate implementations, uninitialized use in WebRTC, and use-after-free in V8. Google says it paid over $26,000 in bug bounty rewards to the reporting security researchers, but the company has yet to disclose the exact amount it awarded for all of the externally reported vulnerabilities. Mozilla, which revisited the previous decision to disable TLS 1.0 and 1.1 in its browser, this week pushed Firefox 75 to the stable channel, packing it with six security patches for the desktop, and two patches targeting vulnerabilities specific to the Android platform.

We'll refer to this one a Fourthytuesday instead, now that Firefox has reduced its update wavelength to four weeks to get important-but-not-zero-day-critical fixes out just that bit more frequently. If your automatic update hasn't happened yet, a manual check will let you "Jump the queue" and get the update a bit sooner.

This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser's cache even after you logged out of Twitter. We started Firefox with a totally empty cache, browsed to twitter.com, and then grabbed a copy of the files Firefox had chosen to keep for later in its cache directory.

If you make use of the Firefox Multi-Container Account add-on, it now includes the ability to sync your customizations across your Firefox account.

Mozilla has released security updates for its Firefox browser in conjunction with a US Cybersecurity and Infrastructure Security Agency advisory warning that critical vulnerabilities in the browser are being actively exploited. To address these flaws, Firefox was updated to version 74.0.1 and Firefox Extended Support Release - a slower evolving version for enterprises - was updated to 68.6.1.

Mozilla has released critical security updates for Firefox and Firefox ESR on Friday, patching two vulnerabilities that are being actively exploited by attackers. Update ASAP. Home users and enterprise admins are advised to implement the provided updates as soon as possible.

Mozilla has released updates for its Firefox web browser to patch two critical use-after-free vulnerabilities that have been exploited in attacks. Both flaws have been addressed with the release of Firefox 74.0.1 and Firefox ESR 68.6.1.

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild. Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but don't want to lag behind on security patches.

Mozilla patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. Both bugs have critical ratings and allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1.