Mozilla released the 70th version of the Firefox browser. In it developers presented several innovations: for example, now Firefox 70 blocks cross-site cookies of social networks, and fixed several serious bugs, the operation of which could lead to a controlled malfunction of the program, as well as the execution of third-party code.
In addition, the browser increased protection against cross-site trackers and added alerts about possible compromise of stored passwords.
“Social tracking protection, which blocks cross-site cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of enhanced tracking protection”, – said the creators of the browser.
This means that Firefox will block cross-site cookies on the following platforms:
- YouTube
- Oculus
- Facebook Messenger
- TweetDeck
By default, tools that allow resources to customize the display of ads based on data about the user’s online activity will be disabled. Cookies for authorization through the social network profile are still allowed, but they can also be blocked in the program settings.
Lockwise password management plugin will now warn the user about possible compromise of credentials. The extension checks the stored keys against a database of known leaks and issues a warning in case of a match.
In a fresh release, developers also closed several vulnerabilities. One of them – CVE-2019-11764 – was awarded a critical threat level. The error occurs in Firefox 69 and Firefox ESR 68.1; it can lead to memory corruption and, thus, create conditions for the execution of malicious code on the target machine.
Three other shortcomings are assigned a high level of threat. According to the developers, CVE-2018-6156 is associated with an incorrect indication of the length of the packet when the WebRTC engine processes it. An attacker can cause a heap buffer overflow error using a special video file sent to the browser address. The operation of the bug causes crashes in Firefox.
“Calling some procedures while executing the libexpat function can lead to heap overflow and Firefox freezing. The problem was registered as CVE-2019-15903, for its operation the attacker needs to use a specially created XML file”, – said IS Specialist Sebastian Pipping.
The last mistake in a series of bugs with a high level of threat is associated with the use of memory after release. A vulnerability with identifier CVE-2019-11757 occurs when data is placed in the IndexedDB table. An attacker can save a link to a specific object and use it even after the cell is freed. This will result in a denial of service and exploited program failure.
Read also: Firefox developers create additional protection against code injection attacks
The previous release of Firefox appeared in September this year. In version 69, Enhanced Tracking Protection was turned on by default, and user consent was required to play Flash content.
Leave a Comment