Firefox Announces Same-Day Update After Two Minor Pwn2Own Exploits (mozilla.org) 22
During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, reports Cyber Security News, "earning $50,000 and 5 Master of Pwn points." And the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).
But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)
The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....
Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.
But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)
The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....
Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.
Re:Great, now only if (Score:5, Funny)
Username checks out: old fart yells at cloud.
Re:Great, now only if (Score:5, Informative)
Re:Great, now only if (Score:5, Insightful)
Yeah, I don't know why the /. edgelords have so much hate for Firefox. It's my daily driver and it's fine. I certainly would never use Chrome as a daily driver; Google doesn't need to hoover up all my data, thanks.
Re: (Score:3)
They probably remember it as the minimalist browser it was 20 years ago. It was deteriorating in terms of stability for a while, although recent versions seem OK. The UI kind of sucks - but in the same ways that Chrome and Edge's UIs suck. (Copying them was part of the problem.) I also know a few culture-warrior types who hate it because of Mozilla's extracurricular programs, they see their browser as kind of a lifestyle product that should be aligned with their worldview, so they go to a browser like Brav
Re: (Score:2)
Probably due to how the company behaves. The software works just fine, but it's distain for users is amazing. Google is at least widely known for how it behaves, you know what you get, and real truly breaking changes you hear about people bitching online years in advance.
Firefox on the other hand... well maybe tomorrow the shortcuts you use will suddenly no longer work for the simple reason of someone changed a word in a menu and someone else decided completely arbitrarily that means the shortcut needs to m
Re: (Score:2)
If you're a tab hoarder some of Firefox's design problems stand out. Close or open too many tabs too quickly and FF will peg your system load. It seems like it's saving the entire browser state when you make minor changes, so when that browser state is larger and you make multiple chances before it finishes saving the last one, the UI freezes until it catches up. Granted 5 years ago it would just crash in those cases, so in that respect it has gotten a lot better.
While I do use Firefox, I hate it at the
Re: (Score:2)
Because Firefox chased away the tech heads. They kept changing the extension mechanism API so many of the user's favorite extensions just never made it.
Firefox only adopted WebExtension because they kept losing users to the point developers were fed up and stopped making Firefox extensions because it was too much work.
Now Firefox basically is a limp shell of what it was when it came to extension support or what extensions could do.
Meanwhile, they integrate stuff people didn't want, like Pocket. They then ac
Re: (Score:2)
Yeap, same here. Been using it as my main browser ever since its release. With UBlock and a bunch of other plugins.
I have chrome as well, but thats for the rare instances when I need it.
Re:Great, now only if [better] (Score:2)
Great, now only if Firefox wasn't a giant, bloated pile of shit, burdened with pointless features NO ONE wants. Also, it's fucking slow as frozen monkey piss.
Quoted because of the censor mods. While I agree with you (in spite of your vacuous Subject), I think your rant doesn't help anything. How to distinguish between things that could be fixed and things that must be tolerated? So:
I think in terms of "Would I buy that feature?" Can't recall the last time I noticed a feature of Firefox where the answer was yes, even if the price tag was as low as ten bucks. Probably the password sync option? But that was copied from the Palm... As I imagine it, the software woul
Re:Great, now only if [better] (Score:4, Insightful)
I'll add that even if there are features (or "features") that, at least, I don't want, so far I'm (still) able to disable or re-configure them in a menu or the config file (or .css file) *and* can load extensions that compensate for other things. Can't say the same, to the same extent, about Chrome or Edge. This makes it my preferred browser.
Re: (Score:2)
I used Firefox for close to two decades...it became slower and slower over time and succumbed to creeping featuritis, eventually becoming filled with junk no one asked for. I tried Brave, liked it, liked the built-in ad blocking, and I've been using it ever since.
To each their own though, I encourage people to use whatever they like. For me, it's Brave.
Re: (Score:2)
Maybe I should give Brave another look... I wasn't impressed at the time, but that was so long ago I can't even remember which computer it was on.
Re: (Score:2)
I used to wonder what people are talking about in terms of FF performance and complaints about being slow. Perhaps it was a little slower than the competition, but barely noticeable, and the benefits in terms of not feeding the data sucking beasts was well worth it. Until...
earlier this year, I noticed FF being really slow. It will hiccup for 10~20 seconds periodically while the interface froze. Even when it didn't freeze completely, scrolling and loading pages seemed way slower than it should be. I tr
Re: (Score:2)
only replying to say: 'when did slashdot break the 10mil UID mark!?'
not sure if shitstain bots, or actual humans being shitstains tho.
Re: (Score:3)
only replying to say: 'when did slashdot break the 10mil UID mark!?'
It was ratcheted up in several stages a few years back. Uids seemed to jump from 2mill to 4mill then 5 and 6. It might have been troll control, new owners inflating #s, or just lazy programming. Bottom line don't trust anyone over 1,000,000, the real number of users is closer to 2 or 3 million (ish).
Re: (Score:2)
It takes an email address to post as AC now, at least that's how it was explained to me.
I wrote a journal post and someone answered it. I had been gone for quite a while. I'm not sure how much I'm back, but I've posted a bit here an there.
Remove the Bloat (Score:2)
Re: (Score:2)
You remember wrong, Firefox was split from the Mozilla Suite, not from Netscape.
Awesome! (Score:2)
"earning $50,000 and 5 Master of Pwn points."
All they need to is earn two more points and they can trade them in for a Pwn2Own branded Frisbee at the prize desk! I'm sooo jealous!