Security News
Mozilla privacy survey finds mental health and prayer apps fail privacy test pretty spectacularly. Apps with the most sensitive data seem to be the worst at protecting user privacy, according to a review by Mozilla's Privacy Not Included team.
While they have good intentions to foster mental health and spiritual wellness, the majority of mental-health and prayer apps can harm their users in other ways by exposing personal and intimate data due to a severe lack of security and privacy protections, researchers from Mozilla have found. Mozilla's Jen Caltrider, the lead researcher for the report, went so far as to call the majority of mental health and prayer apps "Exceptionally creepy" in a blog post about the study.
Mozilla has removed the Yandex Search, Mail.ru, and OK.ru default search providers from the Firefox browser over reports of state-sponsored content favored in search results. Since 2014, Mozilla has made Yandex the default search engine in Russia, and the following year made it the default search for users in Turkey.
Mozilla has removed the Yandex Search, Mail.ru, and OK.ru default search providers from the Firefox browser over reports of state-sponsored content favored in search results. Since 2014, Mozilla has made Yandex the default search engine in Russia, and the following year made it the default search for users in Turkey.
Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild. Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.
Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild. CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.
Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix two critical zero-day vulnerabilities actively exploited in attacks. As Mozilla's security advisory explains, the Firefox developers are aware of "Reports of attacks in the wild" actively exploiting these vulnerabilities.
Mozilla is warning website developers that the upcoming Firefox 100 and Chrome 100 versions may break websites when parsing user-agent strings containing three-digit version numbers. Mozilla and Google will continue running experiments for version 100 user-agents until the browsers are released on March 29 for Chrome and May 3 for Firefox.
Mozilla released a security update to address a high severity privilege escalation vulnerability found in the Mozilla Maintenance Service. The Mozilla Maintenance Service is an optional Firefox and Thunderbird service that makes application updates possible in the background.
Many software vendors rely on third-party open source cryptographic tools, such as OpenSSL, or simply hook up with the cryptographic libraries built into the operating system itself, such as Microsoft's Secure Channel on Windows or Apple's Secure Transport on macOS and iOS. But Mozilla has always used its own cryptographic library, known as NSS, short for Network Security Services, instead of relying on third-party or system-level code. The vulnerability is officially known as CVE-2021-43527, but Ormandy has jokingly dubbed it BigSig, because it involves a buffer overflow provoked by submitting a digital signature signed with a cryptographic key that is bigger than the largest key NSS is programmed to expect.