Security News

Mozilla has fixed a known issue causing the Firefox web browser to freeze when copying text on Windows 11 devices where the Suggested Actions clipboard feature is enabled. The issue impacts Firefox users running Microsoft's latest OS release, Windows 11, version 22H2, where this new feature is enabled by default.

CVE-2022-38477 covers bugs that affect only Firefox builds based on the code of version 102 and later, which is the codebase used by the main version, now updated to 104.0, and the primary Extended Support Release version, which is now ESR 102.2. CVE-2022-38478 covers additional bugs that exist in the Firefox code going back to version 91, because that's the basis of the secondary Extended Support Release, which now stands at ESR 91.13.

There's the latest-and-greatest version, currently 103, which has all the latest features and relevant security fixes. There's the Extended Support Release flavour, which synchs up with the features in the latest version every few months, but in between gets security updates only, thus bringing in new features only after they've been available to try out in the mainstream version for some time.

This bug allows a malicious website to create a popup window and then resize it to overwrite the browser's own address bar. This address bar spoofing bug only applies to Firefox on Linux; on other operating systems, the bug apparently can't be triggered.

Mozilla Firefox 102 was released today with a new privacy feature that strips parameters from URLs that are used to track you around the web. Numerous companies, including Facebook, Marketo, Olytics, and HubSpot, utilize custom URL query parameters to track clicks on links.

Mozilla says that all Firefox users will now be protected by default against cross-site tracking while browsing the Internet. "Total Cookie Protection is Firefox's strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site."

This follows an intriguing month of Firefox 100 releases, with Firefox 100.0 arriving, as did Chromium 100 a month or so before it, without any trouble caused by the shift from a two-digit to a three-digit version number. No doubt in part due to the efforts of both Google's Chromium and Mozilla's Firefox coders, the 100.0 release of both browsers was ultimately uneventful.

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information. "We recommend that you stop using Tails until the release of 5.1 if you use Tor Browser for sensitive information," the project said in an advisory issued this week.

Mozilla has released security updates for multiple products to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest. If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

Late last week, our Slackware Linux distro announced an update to follow the scheduled-and-expected Firefox 100 release, which came out at the start of the month. The blog article, entitled Improved Process Isolation in Firefox 100, actually came out the day before the 100.0.1 release was uploaded to the FTP server, as though the changes were already accomplished in the 100.0 release.