Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firefox 74 Patches Vulnerabilities, Disables TLS 1.0 and 1.1

Mozilla this week released Firefox 74 to the stable channel with several security improvements, including patches, a new add-ons policy, improved privacy, and versions 1.0 and 1.1 of the Transport Layer Security (TLS) protocol disabled by default.

Mozilla this week released Firefox 74 to the stable channel with several security improvements, including patches, a new add-ons policy, improved privacy, and versions 1.0 and 1.1 of the Transport Layer Security (TLS) protocol disabled by default.

With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, the Internet organization last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3.

The move should have no impact on websites that support TLS 1.2 and up, but will result in an error message being displayed when the newer protocol iterations are not supported. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.

The deprecation of older TLS iterations was initially announced a couple of years ago, but some website administrators have yet to upgrade to newer versions of the protocol. The change introduced in Firefox 74 is expected to encourage them to improve the security of their sites and users.

With the new release, Mozilla improved the browser’s login management capabilities and also enhanced the privacy of users’ web voice and video calls through support for mDNS ICE by cloaking IP addresses in certain WebRTC scenarios.

Furthermore, the browser now allows users to remove add-ons that have been installed by third-party apps and no longer allows applications to install add-ons. Only users are allowed to do so.

Firefox 74 includes patches for a dozen vulnerabilities, including five rated high severity, six medium risk, and one low severity.

Three high-risk flaws that Mozilla addressed are a use-after-free when removing data about origins (CVE-2020-6805), missing protections against state confusion in BodyStream::OnInputStreamReady (CVE-2020-6806), and a use-after-free in cubeb during stream destruction (CVE-2020-6807), all of which could have resulted in potentially exploitable crashes.

Advertisement. Scroll to continue reading.

Additionally, the browser maker squashed memory safety bugs in Firefox 74 (CVE-2020-6815) and in both Firefox 74 and Firefox ESR 68.6 (CVE-2020-6814).

The medium-severity flaws patched in the browser include CVE-2020-6808 (URL Spoofing via javascript: URL), CVE-2020-6809 (Web Extensions with the all-urls permission could access local files), and CVE-2020-6810 (focusing a popup while in fullscreen could have obscured the fullscreen notification).

Additionally, Mozilla patched CVE-2020-6811 (devtools’ ‘Copy as cURL’ feature did not fully escape website-controlled data, potentially leading to command injection), CVE-2019-20503 (out of bounds read in sctp_load_addresses_from_init), and CVE-2020-6812 (the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permissions).

The low-severity bug addressed in this release is CVE-2020-6813, where the @import statements in CSS could have allowed an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy.

Related: Firefox Gets DNS-over-HTTPS as Default in U.S.

Related: Firefox 74 Will Disable TLS 1.0 and TLS 1.1 by Default

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.