Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Firefox 93 Improves Protection Against Tracking, Insecure Downloads

Mozilla this week released Firefox 93 to the stable channel with several security improvements, including better privacy protections, patches, and anti-tracking capabilities.

Starting with Firefox 93, the browser blocks insecure HTTP downloads on encrypted (HTTPS) pages, to keep users safe from potentially unwanted or even malicious downloads.

Mozilla this week released Firefox 93 to the stable channel with several security improvements, including better privacy protections, patches, and anti-tracking capabilities.

Starting with Firefox 93, the browser blocks insecure HTTP downloads on encrypted (HTTPS) pages, to keep users safe from potentially unwanted or even malicious downloads.

Given that data transmitted over HTTP isn’t protected, attackers able to intercept that data could not only view it, but also tamper with it. Thus, attackers could potentially replace files downloaded over HTTP with malicious ones, which could lead to full system compromise.

Firefox 93 now blocks such insecure file downloads and prompts the user to stop the download and remove the file, while also offering the choice to continue with the download.

The browser now also blocks downloads in sandboxed iframes, to prevent instances where malicious content could initiate a drive-by download from the sandbox. Thus, unless the sandboxed content has the ‘allow-downloads’ attribute, Firefox will prevent such downloads.

After disabling older iterations of the Transport Layer Security (TLS) protocol last year, Firefox now closes the door on 3DES, a popular encryption algorithm that is nothing more than an adaptation of the Data Encryption Standard.

The reasons for this, Mozilla says, include the fact that attacks against 3DES have become stronger, and the emergence of more efficient, stronger encryption algorithms that are already standardized and widely supported.

“As long as 3DES remains an option that Firefox provides, it poses a security and privacy risk. Because it is no longer necessary or prudent to use this encryption algorithm, it is disabled by default in Firefox 93,” Mozilla notes.

The move is expected to cause compatibility issues, yet only outdated devices that are no longer supported are affected, even if some modern servers do use 3DES. Thus, Firefox will allow for the algorithm to be used if deprecated versions of TLS have been manually enabled.

Firefox 93 also brings additional privacy improvements, including better tracking protections, courtesy of a more comprehensive SmartBlock version, available in Private Browsing and Strict Tracking Protection.

The third iteration of the intelligent tracker blocking mechanism features better support for replacing Google Analytics scripts and supports popular services such as Amazon TAM, Criteo, Optimizely, and various advertising scripts from Google.

Additionally, the browser update brings improved HTTP referrer protections, where Firefox will ignore less restrictive referrer policies for cross-site requests. For Strict Tracking Protection and Private Browsing users, these features are automatically enabled as soon as Firefox is updated to version 93.

Mozilla shipped Firefox 93 with a series of patches as well, including four that address high-severity issues and three that fix moderate-severity security flaws. The most severe of these bugs could be exploited to achieve arbitrary code execution.

The resolved issues include use-after-free bugs in MessageTask and nsLanguageAtomService object, a data race flaw in crossbeam-deque, memory safety errors, and a vulnerability where validation messages could have been overlaid on another origin.

All these security holes were patched in Firefox 93, Firefox Extended Support Release (ESR) 78.15, and Firefox ESR 91.2.

Related: Firefox 91 Brings New Privacy, Security Improvements

Related: Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker

Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.