Site icon Sophos News

Mild monthly security update from Firefox – but update anyway

It’s time for this month’s scheduled Firefox update (technically, with 28 days between updates, you sometimes get two updates in one calendar month, but July 2022 isn’t one of those months)…

…and the good news is that the worst bugs listed, which get a risk category of High, are those found by Mozilla itself using automated bug-hunting tools, and lumped togther under two catchall CVE numbers:

The reason that these bugs are split into two groups is that Mozilla officially supports two flavours of its browser.

There’s the latest-and-greatest version, currently 103, which has all the latest features and relevant security fixes.

And there’s the Extended Support Release (ESR) flavour, which synchs up with the features in the latest version every few months, but in between gets security updates only, thus bringing in new features only after they’ve been available to try out in the mainstream version for some time.

As you can imagine, sysadmins and IT teams who support Firefox at work often like ESRs because it means they don’t have to foist new features on their own users (or take the inevitable support calls about new menu options, different icons and modified behaviour) without good warning.

There are almost always at least a few bugs fixed in the mainstream Firefox version that don’t appear in the ESR, and thus can’t be fixed there, because the bugs are new, introduced in the new code added to support the new features.

This is another reason that some sysadmins like ESR-style software, given that the code in those versions has been geneally exposed to real-life scrutiny for longer, without lagging behind on security patches.

In fact, Mozilla retains two ESR versions, so that you can try the previous and the current ESR versions at the same time before making the switch, thus never needing to use the cutting-edge version our your production network at all. (See below for the latest version numbers of all currently-supported versions.)

Misleading your clicks

Of the other six bugs on the patch list, we think two are intriguing and important, because both of them give attackers a chance to trick you into clicking something that isn’t what it seems:


LEARN MORE ABOUT SHORTCUTS AND MALWARE

https://nakedsecurity.sophos.com/2016/08/03/beware-of-ransomware-hiding-in-shortcuts/

What to do?

As usual, go to Help > About Firefox and see whether the popup box tells you Firefox is up to date or offers you a clickable button labelled [Update to X].

This time, the version you’re after is 103.0 (if you’re using the mainstream version), ESR 102.1 (if you’re on the most recent ESR version), or ESR 91.12 (if you’re on the oldest ESR flavour).

As we’ve explained before, but think it’s worth mentioning again, the two numbers in the ESR release identifiers add together to denote the mainstream release that they match up with in terms of security updates.

So, given that the current mainstream version is 103, you can quickly tell than 102.1 ESR (102+1 = 103) and 91.12 ESR (91+12 = 103) are the most recent releases in their respective lineages.


Exit mobile version