Security News
Mozilla is beginning to roll out Firefox 95 with a new sandboxing technology called RLBox that prevents untrusted code and other security vulnerabilities from causing "Accidental defects as well as supply-chain attacks." All major browsers are designed to run web content in their own sandboxed environment as a means to counter malicious sites from exploiting a browser vulnerability to compromise the underlying operating system.
Two years ago, we wrote about the fact that incautious software developers had uploaded hundreds of thousands of private access control keys, entirely unintentionally, along with source code files that they did intend to make public. Blindly packaging all these files into an archive for uploading to your favourite public repository seems pretty harmless, given that all the files in the lua account are supposed to be public.
Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. Aidan Martin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "Credentials exposed by our users are not in scope for our Bug Bounty program."
Mozilla hopes to ramp up the monetisation machine with a paid premium version of its Firefox Relay service, upping the current limit of five email aliases to a near-unlimited number. Firefox Relay hides a user's real email address behind an alias to both protect the user's identity and spare their inbox from spam.
Firefox is now available for download through Microsoft's Windows Store for Windows 10 and Windows 11 users, the first major web browser to be added after Opera was added in late September. Until today, Mozilla couldn't bring its web browser onto the Microsoft Store because Redmond's store policies required that all browsers submitted for inclusion had to use the engine provided by Windows.
The Firefox team said that the misbehaving Firefox add-ons they found in June - named Bypass and Bypass XM - were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content. Mozilla has blocked the malicious add-ons in order to keep them from being installed by yet more users.
Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "Interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content," Mozilla's Rachel Tublitz and Stuart Colville said.
Mozilla blocked malicious Firefox add-ons installed by roughly 455,000 users after discovering in early June that they were abusing the proxy API to block Firefox updates. "Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request via a proxy configuration that fails."
Mozilla is now showing ads in the form of sponsored Firefox contextual suggestions when U.S. users type in the URL address bar. While blog posts [1, 2] presenting it under the "Firefox Suggest" name were published in September, it was first mentioned in a Firefox changelog with the release of Firefox 93 two days ago and presented as a "Faster way to navigate the web."
Mozilla says that Firefox users will be better protected from advertising trackers while browsing the Internet in Private Browsing mode and using Strict Tracking Protection. The SmartBlock mechanism, introduced by Mozilla with the release of Firefox 87 in March, ensures that the Tracking Protection feature and Strict Mode don't break websites when blocking tracking scripts.