Firefox just published its latest now-every-fourth-Tuesday release, bringing numerous security fixes, including three denoted critical.
The 76.0 release also comes with fanfare for new features that have been added to Firefox’s own password manager, with the coronavirus pandemic clearly being the unstated reason for trumpeting these features now:
There’s no doubt that during the last couple of weeks you’ve been signing up for new online services like streaming movies and shows, ordering takeout or getting produce delivered to your home. All of those new accounts need unique, strong passwords to be secure, which you can now generate, manage and protect more easily with Firefox Lockwise.
Lockwise is Firefox’s combined mobile phone and browser-based password manager that now alerts you if it thinks you may have been affected by a data breach.
Mozilla says that Firefox will tell you automatically if it thinks one of the websites where you have an account has been hit by a data breach.
Unsurprisingly, that’s called a Website Breach warning and it’s triggered if the last time you changed your password on a website was before the breach happened:
Also making its debut is a Vulnerable Password warning, something that none of us should need but many of us could probably nevertheless do with:
That tells you if any of your other passwords match the password you were using on a site that “was likely in a data breach”.
Ideally, we’d like to see that warning come up every time you start your browser when any two of your passwords are the same, so that you get a regular and firm prod to change both of them to something fresh, complex, and unique.
But Firefox’s slightly gentler approach is probably a better place to start.
(We’re guessing that if you have one password you use on lots of accounts, it’s because you think they are “throwaways” and so you probably use a short and obvious password too – but there’s no need to choose a trivial password when your password manager can generate and remember complex ones easily.)
Of course, if you already have a password manager you’re happy with, or you have an incredible memory for c0MPlic4ted sTR!nZ OV unu5$l t3KSt
, then you won’t be interested in these new features, but you need the upate anyway for the security fixes in it.
As we mentioned above, three of the 11 CVE-numbered security fixes are dubbed critical:
- CVE-2020-12387: Use-after-free during worker shutdown. This is listed as causing “a potentially exploitable crash”, which suggests that with enough skill, a crook might be able to use this bug to implant malware.
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens. A sandbox escape means that rogue content on a web page might be able to escape from the security controls by which the browser keeps data from different websites apart, and stops untrusted web pages interacting with trusted parts of your computer such as data stored on your hard disk.
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8. This is Firefox’s usual “catchall” vulnerability and this one covers eight different bugs found during the routine security reviews and testing that Mozillans carry out.
Note that the second vulnerability above is specific to Firefox on Windows, though please don’t use that as a reason to defer the update if you have a Mac or a Linux/Unix computer.
There’s a separate entry, CVE-2020-12395, flagged high rather than critical, covering five bugs that were found in Firefox 75 but not in 68.7 Extended Support Release (ESR), reminding us all that new features sometimes do bring new bugs.
The Tor Browser, which is based on Firefox ESR, also gets an update, somewhat confusingly moving from 9.0.9 to 9.0.10.
(If you are a Tor user, you can check which Firefox release your current Tor is based on in the About Tor Browser dialog.)
What to do?
Same as usual: go to Help > About Firefox (or About Tor Browser) to see if you are up to date.
If not, the update will be fetched for you and you’ll prompted to update – restarting Firefox will automatically apply the update and reload the new version.
If you’re a Linux or xBSD user with a Firefox build that is provided by your distro, you’ll need to check back with your own distro’s update servers to find and fetch any available Firefox fixes.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Reactive
Have no fear, a patch for your patch has arrived :D
Welcome 76.0.1
Paul Ducklin
Two fixes are mentioned, neither of which is a true security fix. Although one is “a crash” it only applies to 32-bit Windows systems with some sort of nVidia driver installed, and there’s no suggestion it’s exploitable (though never say never when it comes to crashes).