Mozilla this week released Firefox 74 to the stable channel with several security improvements, including patches, a new add-ons policy, improved privacy, and versions 1.0 and 1.1 of the Transport Layer Security (TLS) protocol disabled by default.
With TLS 1.0 and TLS 1.1 considered vulnerable to various types of attacks, including BEAST, CRIME and POODLE, the Internet organization last month announced plans to disable them in its popular browser and allow only connections made using TLS 1.2 and TLS 1.3.
The move should have no impact on websites that support TLS 1.2 and up, but will result in an error message being displayed when the newer protocol iterations are not supported. An override button on the error page will provide users with the option to fallback to TLS 1.0 or TLS 1.1.
The deprecation of older TLS iterations was initially announced a couple of years ago, but some website administrators have yet to upgrade to newer versions of the protocol. The change introduced in Firefox 74 is expected to encourage them to improve the security of their sites and users.
With the new release, Mozilla improved the browser’s login management capabilities and also enhanced the privacy of users’ web voice and video calls through support for mDNS ICE by cloaking IP addresses in certain WebRTC scenarios.
Furthermore, the browser now allows users to remove add-ons that have been installed by third-party apps and no longer allows applications to install add-ons. Only users are allowed to do so.
Firefox 74 includes patches for a dozen vulnerabilities, including five rated high severity, six medium risk, and one low severity.
Three high-risk flaws that Mozilla addressed are a use-after-free when removing data about origins (CVE-2020-6805), missing protections against state confusion in BodyStream::OnInputStreamReady (CVE-2020-6806), and a use-after-free in cubeb during stream destruction (CVE-2020-6807), all of which could have resulted in potentially exploitable crashes.
Additionally, the browser maker squashed memory safety bugs in Firefox 74 (CVE-2020-6815) and in both Firefox 74 and Firefox ESR 68.6 (CVE-2020-6814).
Additionally, Mozilla patched CVE-2020-6811 (devtools’ ‘Copy as cURL’ feature did not fully escape website-controlled data, potentially leading to command injection), CVE-2019-20503 (out of bounds read in sctp_load_addresses_from_init), and CVE-2020-6812 (the names of AirPods with personally identifiable information were exposed to websites with camera or microphone permissions).
The low-severity bug addressed in this release is CVE-2020-6813, where the @import statements in CSS could have allowed an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy.