Security News

Five high-severity bugs were fixed in the Firefox web browser with the release of version 74 by the Mozilla Foundation on Tuesday. In total, 12 bugs were patched with six rated as moderate severity and one low-severity bug.

Mozilla has said it plans to make a privacy technology called DNS-over-HTTPS the default setting for US users of Firefox within weeks. Although not a perfect shield against DNS snooping, DoH makes that a lot harder.

A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser. Similar to other major browsers, Firefox relies on third-party libraries to render content - such as audio, video, and images - and these libraries often introduce additional vulnerabilities, researchers from the University of California San Diego, University of Texas at Austin, Stanford University and Mozilla say.

Mozilla has started rolling out encrypted DNS-over-HTTPS by default for its Firefox users in the United States. DoH provides increased security for Internet users, the DoH protocol ensures that DNS queries and DNS responses are sent and received over HTTP using TLS. Mozilla has been working on bringing DoH to Firefox since 2017, and tens of thousands were already using the protocol in September 2019, when it revealed plans to roll out DoH to Firefox users in the U.S., in fallback mode.

In theory DNS over HTTPS does not hide the "Fact" of the request transmission, "When" or "Length" of the request from a "Third party" evesdropper only the request "Contents". That is whilst DNS over HTTPS might hide the request contents it does not hide the request or the time it happened at, nore does it hide the traffic to the site the DNS request was for.

Starting today, Mozilla is activating the DNS-over-HTTPS security feature by default for all Firefox users in the U.S. by automatically changing their DNS server configuration in the settings. That means, from now onwards, Firefox will send all your DNS queries to the Cloudflare DNS servers instead of the default DNS servers set by your operating system, router, or network provider.

Firefox version 73 has only been out for a week but already Mozilla has had to update it to version 73.0.1 to fix a range of browser problems and crashes, including when running on Linux machines. In an issue known about for some weeks, users running third-party security programs with anti-exploit protection, including the 0patch 'guerrilla' patching agent, were being affected by crashes.

Rather than patching once a calendar month, Mozilla goes for every sixth Tuesday - or every 42 days, which we call Fortytwosday in a hat-tip to HHGttG. This update takes the regular build of Firefox to 73.0, while the long-term release, which includes security fixes but not feature updates, goes to 68.5.0esr. The good news is that none of the security holes fixed in this update seem to be what are known as zero-day vulnerabilities, which is the industry term for bugs that the crooks figure out first.

The patched version of Mozilla's browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday.

An improvement over the Secure Sockets Layer protocol, TLS is meant to improve the security of the Web, but flaws and weaknesses in older iterations, specifically TLS 1.0 and TLS 1.1, render connections vulnerable to attacks such as BEAST, CRIME and POODLE. The newer TLS 1.2 and TLS 1.3 versions are both faster and safer, and major browser vendors have already laid out plans to deprecate the older releases to ensure the security of their users. Mozilla has already introduced the change in Firefox Beta 73, in which the minimum TLS version allowable by default is TLS 1.2.