Mozilla this week released Firefox 93 to the stable channel with several security improvements, including better privacy protections, patches, and anti-tracking capabilities.
Starting with Firefox 93, the browser blocks insecure HTTP downloads on encrypted (HTTPS) pages, to keep users safe from potentially unwanted or even malicious downloads.
Given that data transmitted over HTTP isn’t protected, attackers able to intercept that data could not only view it, but also tamper with it. Thus, attackers could potentially replace files downloaded over HTTP with malicious ones, which could lead to full system compromise.
Firefox 93 now blocks such insecure file downloads and prompts the user to stop the download and remove the file, while also offering the choice to continue with the download.
The browser now also blocks downloads in sandboxed iframes, to prevent instances where malicious content could initiate a drive-by download from the sandbox. Thus, unless the sandboxed content has the ‘allow-downloads’ attribute, Firefox will prevent such downloads.
After disabling older iterations of the Transport Layer Security (TLS) protocol last year, Firefox now closes the door on 3DES, a popular encryption algorithm that is nothing more than an adaptation of the Data Encryption Standard.
The reasons for this, Mozilla says, include the fact that attacks against 3DES have become stronger, and the emergence of more efficient, stronger encryption algorithms that are already standardized and widely supported.
“As long as 3DES remains an option that Firefox provides, it poses a security and privacy risk. Because it is no longer necessary or prudent to use this encryption algorithm, it is disabled by default in Firefox 93,” Mozilla notes.
The move is expected to cause compatibility issues, yet only outdated devices that are no longer supported are affected, even if some modern servers do use 3DES. Thus, Firefox will allow for the algorithm to be used if deprecated versions of TLS have been manually enabled.
Firefox 93 also brings additional privacy improvements, including better tracking protections, courtesy of a more comprehensive SmartBlock version, available in Private Browsing and Strict Tracking Protection.
The third iteration of the intelligent tracker blocking mechanism features better support for replacing Google Analytics scripts and supports popular services such as Amazon TAM, Criteo, Optimizely, and various advertising scripts from Google.
Additionally, the browser update brings improved HTTP referrer protections, where Firefox will ignore less restrictive referrer policies for cross-site requests. For Strict Tracking Protection and Private Browsing users, these features are automatically enabled as soon as Firefox is updated to version 93.
Mozilla shipped Firefox 93 with a series of patches as well, including four that address high-severity issues and three that fix moderate-severity security flaws. The most severe of these bugs could be exploited to achieve arbitrary code execution.
The resolved issues include use-after-free bugs in MessageTask and nsLanguageAtomService object, a data race flaw in crossbeam-deque, memory safety errors, and a vulnerability where validation messages could have been overlaid on another origin.
All these security holes were patched in Firefox 93, Firefox Extended Support Release (ESR) 78.15, and Firefox ESR 91.2.