Firefox’s latest monthly update just came out, bumping the primary version of the popular alternative browser to 115.0.
OK, it’s technically a once-every-four-weeks update, so that there will sometimes be two major updates in a single calendar month, just as you sometimes get two full moons in a month, but this month there’s only one.
(At the end of next month, August 2023, there will co-incidentally be both a blue moon, which is the term used for the second full moon in a single month, and what we’ll refer to by analogy as a Blue Firefox, with Firefox 116 arriving on 01 August 2023 and Firefox 117 following up four weeks later on 29 August 2023.)
Early warning for users of old OSes
Mozilla’s own headline news for version 115 is that:
In January 2023, Microsoft ended support for Windows 7 and Windows 8. As a consequence, this is the last version of Firefox that users on those operating systems will receive. […]
Similarly, this is the last major version of Firefox that will support Apple macOS 10.12, 10.13, and 10.14.
From next month, if you’re stuck with computers that can only run older, unsupported versions of Windows and macOS, you’ll automatically be switched over to the Firefox ESR version.
ESR is short for Extended Support Release, a special Firefox flavour that gets security updates but not feature updates.
Unfortunately, every so often the ESR absorbs all the feature updates that have been deferred since the last time the ESR “caught up”, after which it spends a year or so quietly getting just security updates once again.
In other words, ESR versions last for just over a year before they are “re-based” on a recent major version, complete with all the new features from the interim period added in, and all the now-expunged features taken out.
By the end of 2023, for example, the ESR release will be at 115.6, which means that it will be this month’s version feature-wise, along with all the security patches that have come out since now.
But September 2024 will see the last ESR version release based on major version 115, namely ESR 115.15…
…after which the oldest supported ESR release will be based on the code of next month’s major version 116, which won’t run on your older Windows and Mac devices any more.
In short, Windows 7, Windows 8 and macOS-before-Catalina (10.15) won’t get Firefox updates at all after September 2024, because even the ESR version will no longer support those platforms.
(If you can’t update your computer by then, we strongly suggest switching to an alternative operating system that is supported on your hardware, such as Linux, so you can not only get system upgrades but also run an up-to-date browser.)
Patches this month
Fortunately, none of this month’s security patches are listed as zero-days, meaning that all the fixes included are for bugs that were either responsibly disclosed by outside researchers, or discovered by Mozilla’s own security and development teams.
There are four CVE-numbered bug fixes rated High, namely:
- CVE-2023-37201: Use-after-free in WebRTC certificate generation. Ironically, this means a potential remote code execution bug (where an attacker gets to implant code on your computer without warning) could be triggered during the very part of an audio or video call that’s supposed to set up a secure, end-to-end encrypted channel over HTTPS.
- CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey. SpiderMonkey is the Mozilla software component responsible for handling JavaScript code. Running externally supplied JavaScript is supposed to be “mostly harmless”, because browser JavaScript engines deliberately limit the damage that remote JavaScript code can do. Unless, of course, the JavaScript engine itself contains an exploitable bug, allowing what’s known in the jargon as a security escape or a sandbox escape.
- CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13. As usual, Mozilla is candid enough to admit, even for bugs found automatically that might ultimately turn out not to be dangerous, “We presume that with enough effort some of these could have been exploited to run arbitrary code.”
- CVE-2023-37212: Memory safety bugs fixed in Firefox 115. This is a further set of possible security bugs patched only in the latest major version, but not in the current ESR 102.13 release, presumably because these bugs were introduced via new features added since version 102 came out last year. The concern that “new features mean new bugs” is what leads some users to stick to ESR releases in the first place. (Note that you can add the two numbers in the ESR version together to tell you how far along you are in security update terms.)
There are numerous other Moderate and Low severity bugs, of which three stand out as interesting, at least in our opinion:
- CVE-2023-37204: Fullscreen notification obscured via option element. Apparently, a rogue web page can switch Firefox into fullscreen mode while simultaneously kicking off a background calculation to use up so much processing power that you won’t see the browser’s warning about taking over the entire screen. Note that a rogue website can paint pixels anywhere on the display in fullscreen mode, including popping up realistic but fake operating system dialogs, or a displaying a bogus address bar with a fake URL in it. As a result, warnings before you enter fullscreen mode can considered vital.
- CVE-2023-37207: Fullscreen notification obscured. This bug is similar to the previous one, though it is triggered not by chewing up processor time, but by referencing a type of URL (for example a
mailto://link) that gets handled by an external program instead of by the browser itself. - CVE-2023-37205: URL spoofing in address bar using Right-to-Left characters. We don’t know exactly how this bug works or how it might be exploited, but the description suggests that by mixing Arabic characters in a URL with Latin ones that specify the server name part, an attacker could get a malicious domain name in Latin script to get written out “backwards”. Thus a site that showed up as, say,
moc.elpmaxecould actually refer to the server atexample.com. With a carefully-chosen server name, an unknown and untrusted domain could be disguised to look like a well-known brand name.
What to do?
Open the Help > About Firefox window (or Firefox > About Firefox on macOS) to see what version you currently have, and to get the latest version if you’re out of date.
Note that if you’re months out of date, you may not get the latest version in one go, so go back into the About Firefox dialog again to check that there aren’t any additional update “jumps” you need to complete.
If Firefox is supplied by your Linux or BSD distro, check back with the distro itself for the latest version.