Heard of cricket (the game, not the insect)?
It’s very like baseball, besides that batters can hit the ball wherever they like, together with backwards or sideways; bowlers can hit the batter with the ball on objective (inside sure security limits, in fact – it simply wouldn’t be cricket in any other case) with out kicking off a 20-minute all-in brawl; there’s virtually all the time a break in the course of the afternoon for tea and cake; and you’ll rating six runs at a time so long as you hit the ball excessive and much sufficient (seven if the bowler makes a mistake as properly).
Nicely, as cricket lovers know, 111 runs is a superstitious rating, thought of unauspicious by many – the cricketer’s equal of Macbeth to an actor.
It’s often called a Nelson, although no person really appears to know why.
Immediately subsequently sees Firefox’s Nelson launch, with model 111.0 popping out, however there doesn’t appear to be something unauspicious about this one.
Eleven particular person patches, and two batches-of-patches
As regular, there are quite a few safety patches within the replace, together with Mozilla’s regular combo-CVE vulnerability numbers for doubtlessly exploitable bugs that have been discovered robotically and patched with out ready to see if a proof-of-concept (PoC) exploit was potential:
- CVE-2023-28176: Reminiscence security bugs fastened in Firefox 111 and Firefox ESR 102.9. These bugs have been shared between the present model (which incorporates new options) and the ESR model, brief for prolonged help launch (safety fixes utilized, however with new options frozen since model 102, 9 releases in the past).
- CVE-2023-28177: Reminiscence security bugs fastened in Firefox 111 solely. These bugs virtually actually solely exist in new code that introduced in new options, on condition that they didn’t present up within the older ESR codebase.
These bags-of-bugs have been rated Excessive moderately than Important.
Mozilla admits that “we presume that with sufficient effort a few of these may have been exploited to run arbitrary code”, however nobody has but discovered how to take action, or even when such exploits are possible.
Not one of the different eleven CVE-numbered bugs this month have been worse thah Excessive; three of them apply to Firefox for Android solely; and nobody has but (as far as we but know) give you a PoC exploit that reveals the right way to abuse them in actual life.
Two notably fascinating vulnerabilities seem amongst the 11, specifically:
- CVE-2023-28161: One-time permissions granted to a neighborhood file have been prolonged to different native information loaded in the identical tab. With this bug, if you happen to opened a neighborhood file (equivalent to downloaded HTML content material) that wished entry, say, to your webcam, then another native file you opened afterwards would magically inherit that entry permission with out asking you. As Mozilla famous, this might result in bother if you happen to have been trying by way of a set of things in your obtain listing – the entry permission warnings you’d see would depend upon the order wherein you opened the information.
- CVE-2023-28163: Home windows Save As dialog resolved atmosphere variables. That is one other eager reminder to sanitise thine inputs, as we prefer to say. In Home windows instructions, some character sequences are handled specifically, equivalent to
%USERNAME%, which will get transformed to the identify of the presently logged-on person, or%PUBLIC%, which denotes a shared listing, often inC:Customers. A sneaky web site may use this as a strategy to trick you into seeing and approving the obtain of a filename that appears innocent however lands in a listing you wouldn’t anticipate (and the place you won’t later realise it had ended up).
What to do?
Most Firefox customers will get the replace robotically, sometimes after a random delay to cease everybody’s pc downloading on the identical second…
…however you may keep away from the wait by manually utilizing Assist > About (or Firefox > About Firefox on a Mac) on a laptop computer, or by forcing an App Retailer or Google Play replace on a cell system.
(If you happen to’re a Linux person and Firefox is equipped by the maker of your distro, do a system replace to examine for the supply of the brand new model.)
