Security News

Mozilla is warning website developers that the upcoming Firefox 100 and Chrome 100 versions may break websites when parsing user-agent strings containing three-digit version numbers. Mozilla and Google will continue running experiments for version 100 user-agents until the browsers are released on March 29 for Chrome and May 3 for Firefox.

Mozilla released a security update to address a high severity privilege escalation vulnerability found in the Mozilla Maintenance Service. The Mozilla Maintenance Service is an optional Firefox and Thunderbird service that makes application updates possible in the background.

Many software vendors rely on third-party open source cryptographic tools, such as OpenSSL, or simply hook up with the cryptographic libraries built into the operating system itself, such as Microsoft's Secure Channel on Windows or Apple's Secure Transport on macOS and iOS. But Mozilla has always used its own cryptographic library, known as NSS, short for Network Security Services, instead of relying on third-party or system-level code. The vulnerability is officially known as CVE-2021-43527, but Ormandy has jokingly dubbed it BigSig, because it involves a buffer overflow provoked by submitting a digital signature signed with a cryptographic key that is bigger than the largest key NSS is programmed to expect.

Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code. Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format.

NSS can be used to develop security-enabled client and server apps with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted," Mozilla said in a security advisory issued today.

Mozilla has announced the availability of a new free and paid Premium service, called Firefox Relay. You can pay for a Premium account where you get more aliases and can even create a new email domain for the aliases.

Mozilla hopes to ramp up the monetisation machine with a paid premium version of its Firefox Relay service, upping the current limit of five email aliases to a near-unlimited number. Firefox Relay hides a user's real email address behind an alias to both protect the user's identity and spare their inbox from spam.

Firefox is now available for download through Microsoft's Windows Store for Windows 10 and Windows 11 users, the first major web browser to be added after Opera was added in late September. Until today, Mozilla couldn't bring its web browser onto the Microsoft Store because Redmond's store policies required that all browsers submitted for inclusion had to use the engine provided by Windows.

Mozilla released Thunderbird 91.3 to fix several high-impact vulnerabilities that can cause a denial of service, spoof the origin, bypass security policies, and allow arbitrary code execution. Mozilla Thunderbird 91.3 fixes ten flaws discovered by various researchers that cover a broad spectrum of the email client's functionality.

The Firefox team said that the misbehaving Firefox add-ons they found in June - named Bypass and Bypass XM - were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content. Mozilla has blocked the malicious add-ons in order to keep them from being installed by yet more users.