Heard of cricket (the game, not the insect)?
It’s very like baseball, besides that batters can hit the ball wherever they like, together with backwards or sideways; bowlers can hit the batter with the ball on goal (inside sure security limits, after all – it simply wouldn’t be cricket in any other case) with out kicking off a 20-minute all-in brawl; there’s nearly at all times a break in the midst of the afternoon for tea and cake; and you’ll rating six runs at a time so long as you hit the ball excessive and much sufficient (seven if the bowler makes a mistake as effectively).
Effectively, as cricket fanatics know, 111 runs is a superstitious rating, thought-about unauspicious by many – the cricketer’s equal of Macbeth to an actor.
It’s referred to as a Nelson, although no one really appears to know why.
Right now subsequently sees Firefox’s Nelson launch, with model 111.0 popping out, however there doesn’t appear to be something unauspicious about this one.
Eleven particular person patches, and two batches-of-patches
As normal, there are quite a few safety patches within the replace, together with Mozilla’s normal combo-CVE vulnerability numbers for probably exploitable bugs that had been discovered routinely and patched with out ready to see if a proof-of-concept (PoC) exploit was doable:
- CVE-2023-28176: Reminiscence security bugs fastened in Firefox 111 and Firefox ESR 102.9. These bugs had been shared between the present model (which incorporates new options) and the ESR model, quick for prolonged assist launch (safety fixes utilized, however with new options frozen since model 102, 9 releases in the past).
- CVE-2023-28177: Reminiscence security bugs fastened in Firefox 111 solely. These bugs nearly actually solely exist in new code that introduced in new options, on condition that they didn’t present up within the older ESR codebase.
These bags-of-bugs have been rated Excessive relatively than Crucial.
Mozilla admits that “we presume that with sufficient effort a few of these may have been exploited to run arbitrary code”, however nobody has but discovered how to take action, or even when such exploits are possible.
Not one of the different eleven CVE-numbered bugs this month had been worse thah Excessive; three of them apply to Firefox for Android solely; and nobody has but (as far as we but know) give you a PoC exploit that reveals how you can abuse them in actual life.
Two notably fascinating vulnerabilities seem amongst the 11, particularly:
- CVE-2023-28161: One-time permissions granted to a neighborhood file had been prolonged to different native information loaded in the identical tab. With this bug, should you opened a neighborhood file (akin to downloaded HTML content material) that needed entry, say, to your webcam, then some other native file you opened afterwards would magically inherit that entry permission with out asking you. As Mozilla famous, this might result in bother should you had been wanting by a group of things in your obtain listing – the entry permission warnings you’d see would rely on the order wherein you opened the information.
- CVE-2023-28163: Home windows Save As dialog resolved atmosphere variables. That is one other eager reminder to sanitise thine inputs, as we prefer to say. In Home windows instructions, some character sequences are handled specifically, akin to
%USERNAME%, which will get transformed to the title of the presently logged-on person, or%PUBLIC%, which denotes a shared listing, normally inC:Customers. A sneaky web site may use this as a method to trick you into seeing and approving the obtain of a filename that appears innocent however lands in a listing you wouldn’t count on (and the place you won’t later realise it had ended up).
What to do?
Most Firefox customers will get the replace routinely, usually after a random delay to cease everybody’s laptop downloading on the identical second…
…however you may keep away from the wait by manually utilizing Assist > About (or Firefox > About Firefox on a Mac) on a laptop computer, or by forcing an App Retailer or Google Play replace on a cellular machine.
(In case you’re a Linux person and Firefox is equipped by the maker of your distro, do a system replace to examine for the supply of the brand new model.)
