Lançado o browser Firefox 112

Por


O Firefox 112 é lançado com varias correções de segurança, melhor suporte ao empacotamento Snap e redução de escala de vídeo que reduz o uso de GP.

Lançado o browser Firefox 112

Mozilla Firefox é um navegador livre e multiplataforma desenvolvido pela Mozilla Foundation com ajuda de centenas de colaboradores. A intenção da fundação é desenvolver um navegador leve, seguro, intuitivo e altamente extensível. Wikipédia

 

Novidades

  • Clicar com o botão direito nos campos de senha agora mostra uma opção para revelar a senha.
  • Os usuários do Ubuntu Linux agora podem importar os dados do navegador do pacote Chromium Snap. Atualmente, isso só funcionará se o Firefox também não estiver instalado como um pacote Snap, mas o trabalho está em andamento para resolver isso!
  • Você usa o painel da lista de guias na barra de guias? Nesse caso, agora você pode fechar as guias clicando com o botão do meio nos itens dessa lista.
  • Você sempre conseguiu abrir uma guia usando (Cmd/Ctrl)-Shift-T. Agora, esse mesmo atalho irá restaurar a sessão anterior se não houver mais abas fechadas da mesma sessão para reabrir.
  • Para todos os usuários do ETP Strict, estendemos a lista de parâmetros de rastreamento conhecidos que são removidos das URLs para proteger ainda mais nossos usuários do rastreamento entre sites.
  • Habilita a sobreposição de vídeo decodificado por software em GPUs Intel no Windows. Melhora a qualidade de redução de escala de vídeo e reduz o uso de GPU.

Mudança


A obsoleta API Javascript U2F agora está desativada por padrão. O protocolo U2F permanece utilizável por meio da API WebAuthn. A API U2F pode ser reativada usando a preferência security.webauth.u2f.

Correções

Mozilla Foundation Security Advisory 2023-13 Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 Announced April 11, 2023 Impact high Products Firefox, Firefox for Android, Focus for Android Fixed in Firefox 112 Firefox for Android 112 Focus for Android 112 #CVE-2023-29531: Out-of-bound memory access in WebGL on macOS Reporter DoHyun Lee Impact high Description An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash. This bug only affects Firefox for macOS. Other operating systems are unaffected. References Bug 1794292 #CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass Reporter Holger Fuhrmannek Impact high Description A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. References Bug 1806394 #CVE-2023-29533: Fullscreen notification obscured Reporter Irvan Kurniawan Impact high Description A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks. References Bug 1814597 Bug 1798219 #CVE-2023-29534: Fullscreen notification could have been obscured on Firefox for Android Reporter Shaheen Fazim and Hafiizh Impact high Description Different techniques existed to obscure the fullscreen notification in Firefox and Focus for Android. These could have led to potential user confusion and spoofing attacks. This bug only affects Firefox and Focus for Android. Other versions of Firefox are unaffected. References Bug 1816059 Bug 1816007 Bug 1821155 Bug 1821576 Bug 1821906 Bug 1822298 Bug 1822305 #MFSA-TMP-2023-0001: Double-free in libwebp Reporter Irvan Kurniawan Impact high Description A double-free in libwebp could have led to memory corruption and a potentially exploitable crash. References Bug 1819244 #CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction Reporter Lukas Bernhard Impact high Description Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. References Bug 1820543 #CVE-2023-29536: Invalid free from JavaScript code Reporter zx from qriousec Impact high Description An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. References Bug 1821959 #CVE-2023-29537: Data Races in font initialization code Reporter Looben Yang Impact high Description Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. References Bug 1823365 Bug 1824200 Bug 1825569 #CVE-2023-29538: Directory information could have been leaked to WebExtensions Reporter Alexis aka zoracon Impact moderate Description Under specific circumstances a WebExtension may have received a jar:file:/// URI instead of a moz-extension:/// URI during a load request. This leaked directory paths on the user's machine. References Bug 1685403 #CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download Reporter Trung Pham Impact moderate Description When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. References Bug 1784348 #CVE-2023-29540: Iframe sandbox bypass using redirects and sourceMappingUrls Reporter Axel Chong (@Haxatron) Impact moderate Description Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. References Bug 1790542 #CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux Reporter Ameen Basha M K Impact moderate Description Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands. This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions. References Bug 1810191 #CVE-2023-29542: Bypass of file download extension restrictions Reporter Shaheen Fazim and Ameen Basha M K Impact moderate Description A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected. References Bug 1815062 Bug 1810793 #CVE-2023-29543: Use-after-free in debugging APIs Reporter Lukas Bernhard Impact moderate Description An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. References Bug 1816158 #CVE-2023-29544: Memory Corruption in garbage collector Reporter Lukas Bernhard Impact moderate Description If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. References Bug 1818781 #CVE-2023-29545: Windows Save As dialog resolved environment variables Reporter Axel Chong (@Haxatron) Impact moderate Description Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected. References Bug 1823077 #CVE-2023-29546: Screen recording in Private Browsing included address bar on Android Reporter Irwan Impact low Description When recording the screen while in Private Browsing on Firefox for Android the address bar and keyboard were not hidden, potentially leaking sensitive information. This bug only affects Firefox for Android. Other operating systems are unaffected. References Bug 1780842 #CVE-2023-29547: Secure document cookie could be spoofed with insecure cookie Reporter Marco Squarcina Impact low Description When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. References Bug 1783536 #CVE-2023-29548: Incorrect optimization result on ARM64 Reporter JunYoung Park Impact low Description A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. References Bug 1822754 #CVE-2023-29549: Javascript's bind function may have failed Reporter Lukas Bernhard Impact low Description Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. References Bug 1823042 #CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 Reporter Mozilla developers and community Impact high Description Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10 #CVE-2023-29551: Memory safety bugs fixed in Firefox 112 Reporter Mozilla developers and community Impact high Description Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 112
 

Para receber a nova versão basta manter sua distro  atualizada.

Para Arch Linux
sudo pacman -Syu
Para Fedora
sudo dnf upgrade
Para Debian e Ubuntu
sudo apt update ; sudo apt full-upgrade
Para openSUSE
sudo zypper update



Comentários

Postar um comentário

olá, seja bem vindo ao Linux Dicas e suporte !!

Você precisa ver isso

Carregando...

Todos os arquivos do blog

Mostrar mais