Mild monthly security update from Firefox – but update anyway

Credit to Author: Paul Ducklin| Date: Wed, 27 Jul 2022 00:41:02 +0000

It’s time for this month’s scheduled Firefox update (technically, with 28 days between updates, you sometimes get two updates in one calendar month, but July 2022 isn’t one of those months)…

…and the good news is that the worst bugs listed, which get a risk category of High, are those found by Mozilla itself using automated bug-hunting tools, and lumped togther under two catchall CVE numbers:

  • CVE-2022-36320: Memory safety bugs fixed in Firefox 103.
  • CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1.

The reason that these bugs are split into two groups is that Mozilla officially supports two flavours of its browser.

There’s the latest-and-greatest version, currently 103, which has all the latest features and relevant security fixes.

And there’s the Extended Support Release (ESR) flavour, which synchs up with the features in the latest version every few months, but in between gets security updates only, thus bringing in new features only after they’ve been available to try out in the mainstream version for some time.

As you can imagine, sysadmins and IT teams who support Firefox at work often like ESRs because it means they don’t have to foist new features on their own users (or take the inevitable support calls about new menu options, different icons and modified behaviour) without good warning.

There are almost always at least a few bugs fixed in the mainstream Firefox version that don’t appear in the ESR, and thus can’t be fixed there, because the bugs are new, introduced in the new code added to support the new features.

This is another reason that some sysadmins like ESR-style software, given that the code in those versions has been geneally exposed to real-life scrutiny for longer, without lagging behind on security patches.

In fact, Mozilla retains two ESR versions, so that you can try the previous and the current ESR versions at the same time before making the switch, thus never needing to use the cutting-edge version our your production network at all. (See below for the latest version numbers of all currently-supported versions.)

Misleading your clicks

Of the other six bugs on the patch list, we think two are intriguing and important, because both of them give attackers a chance to trick you into clicking something that isn’t what it seems:

  • CVE-2022-36319: Mouse Position spoofing with CSS transforms. Simply put, this bug means that a booby-trapped website could leave your mouse pointer positioned at the wrong spot in the browser window, so that clicking your mouse won’t register where you expect. This trick is generally known as clickjacking, where a scammer makes you think you’re clicking somewhere safe, when in fact you’re clicking on a link or button you would deliberately have avoided if only you knew. In its simplest form, clickjacking can engineer fake social media likes or unwanted ad impressions. At worst, it can lead you directly into harm from phishing attacks or fake downloads that aren’t obvious, even if you’re looking out for them.
  • CVE-2022-36314: Opening local .lnk files could cause unexpected network loads. LNK files are Windows shortcuts, which are a whole can of security worms in their own right. (A .LNK file can sneakily redirect you to a file of type X, such as .EXE, while presenting itself with an icon of type Y, such as .PDF.) In this case, a web link that specified a local .LNK file, could, if clicked, redirect you to a file stored somewhere on the network instead. Although there’s no suggestion that the data fetched this way could be used for remote code execution (in other words, to make unauthorised changes, including implanting malware), you could easily be tricked into trusting remote content under the mistaken impression that it was local data. Any network request leaks some information to the person running the server at the other end, so it’s important for your browser to give you an accurate idea of where each link you click will take you.

LEARN MORE ABOUT SHORTCUTS AND MALWARE


What to do?

As usual, go to Help > About Firefox and see whether the popup box tells you Firefox is up to date or offers you a clickable button labelled [Update to X].

This time, the version you’re after is 103.0 (if you’re using the mainstream version), ESR 102.1 (if you’re on the most recent ESR version), or ESR 91.12 (if you’re on the oldest ESR flavour).

As we’ve explained before, but think it’s worth mentioning again, the two numbers in the ESR release identifiers add together to denote the mainstream release that they match up with in terms of security updates.

So, given that the current mainstream version is 103, you can quickly tell than 102.1 ESR (102+1 = 103) and 91.12 ESR (91+12 = 103) are the most recent releases in their respective lineages.


http://feeds.feedburner.com/NakedSecurity

Leave a Reply