Firefox 111 patches 11 holes, but not 1 zero-day among them… – Naked Security

Firefox 111 patches 11 holes, but not 1 zero-day among them… – Naked Security

Heard of cricket (the sport, not the insect)?

It’s almost like baseball, except that batters can hit the ball anywhere they want, including backwards or sideways; bowlers can hit the ball at will (within certain safety limits, of course – it wouldn’t be cricket otherwise) without starting a 20-minute all-in brawl; there is almost always a mid-afternoon break for tea and cake; and you can score six runs at a time as long as you hit the ball high enough and far enough (seven if the bowler also makes a mistake).

Well, as cricket lovers know, 111 runs is a superstitious score, considered unpopular by many – the cricketer’s equivalent of Macbeth to an artist.

This is known as a Nelsonthough no one really knows why.

Today sees the Nelson release of Firefox, with version 111.0 coming out, but there doesn’t seem to be anything untoward about this one.

Eleven individual patches, and two batches-of-patches

As usual, there are plenty of security patches in the update, including Mozilla’s standard combo-CVE vulnerability numbers for potential exploit bugs that are automatically found and patched without waiting to see if a proof is possible -of-concept (PoC) exploitation:

  • CVE-2023-28176: Memory safety bugs were fixed in Firefox 111 and Firefox ESR 102.9. These bugs are shared between the current version (which includes new features) and the ESR version, short for extended release support (Security fixes have been applied, but new features have been frozen since version 102, nine releases ago).
  • CVE-2023-28177: Memory safety bugs were fixed in Firefox 111 only. These bugs almost certainly only exist in new code that brought new features, as they did not appear in the older ESR codebase.

These bags-of-bugs are rated High rather than Dangerous.

Mozilla admits that “we assume that with enough effort some of these could be exploited to run arbitrary code”, but no one yet knows how to do so, or even if such exploits are feasible.

None of the other eleven CVE-numbered bugs this month were worse High; three of them apply to Firefox for Android only; and no one has yet (as far as we know) come up with a PoC exploit that shows how to abuse them in real life.

Two particularly interesting weaknesses appear in 11, namely:

  • CVE-2023-28161: One-time permissions granted to a local file are extended to other local files loaded in the same tab. With this bug, if you opened a local file (such as downloaded HTML content) that wanted to be accessed by, say, your webcam, then any other local file you opened afterwards would magically inherit that access permission without asking you. As Mozilla notes, this can lead to trouble if you’re looking at a collection of items in your download directory – the access permission warnings you see depend on the order in which you opened the files.
  • CVE-2023-28163: Windows Save As dialog resolves environment variables. This is another sharp reminder to sanitize your inputs, as we like to say. In Windows commands, certain character sequences are treated specially, such as %USERNAME%which will be converted to the name of the currently logged-on user, or %PUBLIC%which indicates a shared directory, usually at C:\Users. A sneaky website might use this as a way to trick you into seeing and approving the download of a filename that looks harmless but ends up in a directory you didn’t expect (and where you might not even realize it ended up ).

What to do?

Most Firefox users will get the update automatically, usually after a random delay to stop the computer downloading everything at the same moment…

…but you can avoid the wait by using manual Help > About (or Firefox > About Firefox on a Mac) on a laptop, or by forcing an App Store or Google Play update on a mobile device.

(If you are using Linux and Firefox is provided by the manufacturer of your distro, do a system update to check for a new version.)