Security News
Today's a Firefox Tuesday, when the latest version of Mozilla's browser comes out, complete with all the security updates that have been merged into the product since the previous release. Note that on Linux and some Unixen, Firefox might be delivered as part of your distro, so check there for the latest version if Firefox doesn't offer to update itself.
Mozilla is beginning to roll out Firefox 95 with a new sandboxing technology called RLBox that prevents untrusted code and other security vulnerabilities from causing "Accidental defects as well as supply-chain attacks." All major browsers are designed to run web content in their own sandboxed environment as a means to counter malicious sites from exploiting a browser vulnerability to compromise the underlying operating system.
Two years ago, we wrote about the fact that incautious software developers had uploaded hundreds of thousands of private access control keys, entirely unintentionally, along with source code files that they did intend to make public. Blindly packaging all these files into an archive for uploading to your favourite public repository seems pretty harmless, given that all the files in the lua account are supposed to be public.
Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. Aidan Martin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "Credentials exposed by our users are not in scope for our Bug Bounty program."
Mozilla hopes to ramp up the monetisation machine with a paid premium version of its Firefox Relay service, upping the current limit of five email aliases to a near-unlimited number. Firefox Relay hides a user's real email address behind an alias to both protect the user's identity and spare their inbox from spam.
Firefox is now available for download through Microsoft's Windows Store for Windows 10 and Windows 11 users, the first major web browser to be added after Opera was added in late September. Until today, Mozilla couldn't bring its web browser onto the Microsoft Store because Redmond's store policies required that all browsers submitted for inclusion had to use the engine provided by Windows.
The Firefox team said that the misbehaving Firefox add-ons they found in June - named Bypass and Bypass XM - were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content. Mozilla has blocked the malicious add-ons in order to keep them from being installed by yet more users.
Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "Interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content," Mozilla's Rachel Tublitz and Stuart Colville said.
Mozilla blocked malicious Firefox add-ons installed by roughly 455,000 users after discovering in early June that they were abusing the proxy API to block Firefox updates. "Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request via a proxy configuration that fails."
Mozilla is now showing ads in the form of sponsored Firefox contextual suggestions when U.S. users type in the URL address bar. While blog posts [1, 2] presenting it under the "Firefox Suggest" name were published in September, it was first mentioned in a Firefox changelog with the release of Firefox 93 two days ago and presented as a "Faster way to navigate the web."