Firefox hits 100*, fixes bugs… but no new zero-days this month
Credit to Author: Paul Ducklin| Date: Tue, 03 May 2022 16:42:06 +0000
Firefox has followed Chromium to the century mark, reaching a score of 100* with its latest scheduled almost-monthly release.
For readers without the sporting good fortune of living in a cricket-playing country, an individual score of 100 in a single innings, known as a century or a ton, is considered a noteworthy achivement.
Adding an asterisk after the score means “not out”, in other words that the batter is still going strong (or completed their innings without getting out at all), making the feat even more noteworthy.
We know you’re wondering, and if you aren’t you should be, so we’ll mention that from 1959 to 1994, the highest ever score worldwide in first-class cricket was 499, with no asterisk, by the late, great Pakistani batter Hanif Mohammed. Desperate to reach 500 before he ran out of batting time, he took a weary risk for that magical 500th run but fell one short. That total wasn’t eclipsed until 1994, when West Indian batter Brian Lara got to 501*, a record that has stood ever since. Indeed, the only first-class score of 400 or more since Lara’s 501* was Lara’s own 400* in 2004, playing in an international match against England in Antigua. At its current release rate of once every four weeks, Firefox has just over 23 years to go to equal Lara’s quadruple century, and almost 30 years to reach 502*.
No trouble at the version number mill
Earlier this year, we wrote about the potential confusion that Chrome (now at 101) and Firefox (100 today) might cause for some users…
…not through any fault on the part of Google or Mozilla, the respective curators of the Chromium and Firefox codebases, but because at least a few web servers seemed unable to recognise three-digit version numbers correctly.
Today’s ever-funkier and ever-keener-to-track-you websites love to look at your HTTP headers to try to figure out which browser you’re using, and what version you’re on, for example by dissecting the User-Agent
header to decide what sort of content to send back.
After updating, our Firefox User-Agent
string now looks like this:
GET / HTTP/1.1 Host: testsite.example User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 [. . . .]
Back in February 2022, a few mainstream sites didn’t seem to realise that 100 was greater than 99, presumably because they were hard-coded to use only the first (or last) two characters of the version number, millennium bug style, thus turning the text 100
either into the number 10, or into the number zero.
Fortunately, we have’t had any visible trouble with Edge, which is based on Chromium and flipped over from 99 to 100 at the start of April (keeping just ahead of Firefox with 101 out at the start of May), and in the few hours that we’ve been on Firefox 100.0, we’ve had no problems either.
We’re assuming either that the last few poorly-coded websites fixed their server-side code in the interim, or that the “special case” lists of problem sites created in recent months by Google and Firefox have suppressed any problems, for example by allowing both browsers to pretend as needed still to be version 99.
Bugs fixes in this update
The good news is that none of the security bugs patched in Firefox 100 (or its equivalent long-term version 91.9 ESR, which has the feature set of Firefox 91 plus a further 9 versions worth of vulnerability updates to bring it onto a cybersecurity par with 100) is considered “Critical”, and there aren’t any zero-day holes on the list.
Nevertheless, the patches deal with an intriguing range of security issues, reminding us all just how much we rely on our browsers to do the right thing when it comes to cybersecurity.
CVE-numbered vulnerabilities dealt with in this update include:
- CVE-2022-29914. Fullscreen notification bypass using popups. An attacker who knew the right trick could have popped up misleading or fraudulent content that looked like an official notification presented by Firefox itself. Popups and page content are supposed to be easy to tell apart from information coming from the browser, which is why a web page isn’t allowed to place a misleading image over the top of the address bar that tells you what website you’re on, or to present a dialog that looks like an official browser security warning but tells a dishonest story.
- CVE-2022-29916. Leaking browser history with CSS variables. Websites aren’t supposed to be able to retrieve a list of other sites you’ve visited without your permission. This not only violates your privacy but also provides cybercriminals with useful information that might help them when attacking you or your company in future.
- CVE-2022-29910. Firefox for Android forgot HTTP Strict Transport Security (HSTS) settings. HSTS is a local database maintained by your browser that tells it which websites to visit using HTTPS, even if you click a link or type in a URL that starts with plain old
http://
. Although most websites immediately redirect HTTP connections to the corresponding HTTPS page anyway, that initial HTTP connection is open to hijack because there’s no encryption or integrity checking of the redirect data that’s sent back. HSTS therefore limits your exposure to your very first visit to a site, when the HSTS setting will be activated, which is a lot safer than needing to risk the insecure redirect every time you visit. - CVE-2022-29917 and -29918. Memory safety bugs fixed in Firefox 100 and 91.9 ESR. As usual, the Mozilla coders openly admit that “we presume that with enough effort some of these [bugs] could have been exploited to run arbitrary code.” In other words, this update is worth getting for this reason alone, given that exploits are much easier for attackers to figure out after they’ve been patched, because the changes in the code essentially act as hints about where to look, and what to look for.
What to do?
Use Help > About Firefox to force a manual check for updates.
Remember that even if you have automatic updates turned on, it’s worth checking that you’ve correctly received the update, instead of simply assuming it worked.