Security News

Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code. Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format.

NSS can be used to develop security-enabled client and server apps with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and various other security standards. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted," Mozilla said in a security advisory issued today.

Mozilla has announced the availability of a new free and paid Premium service, called Firefox Relay. You can pay for a Premium account where you get more aliases and can even create a new email domain for the aliases.

Mozilla hopes to ramp up the monetisation machine with a paid premium version of its Firefox Relay service, upping the current limit of five email aliases to a near-unlimited number. Firefox Relay hides a user's real email address behind an alias to both protect the user's identity and spare their inbox from spam.

Firefox is now available for download through Microsoft's Windows Store for Windows 10 and Windows 11 users, the first major web browser to be added after Opera was added in late September. Until today, Mozilla couldn't bring its web browser onto the Microsoft Store because Redmond's store policies required that all browsers submitted for inclusion had to use the engine provided by Windows.

Mozilla released Thunderbird 91.3 to fix several high-impact vulnerabilities that can cause a denial of service, spoof the origin, bypass security policies, and allow arbitrary code execution. Mozilla Thunderbird 91.3 fixes ten flaws discovered by various researchers that cover a broad spectrum of the email client's functionality.

The Firefox team said that the misbehaving Firefox add-ons they found in June - named Bypass and Bypass XM - were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content. Mozilla has blocked the malicious add-ons in order to keep them from being installed by yet more users.

Mozilla blocked malicious Firefox add-ons installed by roughly 455,000 users after discovering in early June that they were abusing the proxy API to block Firefox updates. "Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request via a proxy configuration that fails."

Mozilla is rolling out a forced upgrade for Thunderbird 78.x users, getting everyone aboard version 91, the latest stable release that came out in August. If you were sticking with version 78.x thus far, it's likely that you were doing so for reasons of stability and add-on compatibility.

Mozilla is running a study to test users' responses to changing the default Firefox search engine to Microsoft Bing. Like all browsers, Mozilla Firefox automatically configures a browser to a default search engine for performing searches via the address bar.