Jump to content

trium

Experienced Members
 View Profile  See their activity

  • Posts

    2,544

  • Joined

  • Last visited

 Content Type 

Posts posted by trium

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v102.4.0 esr

    18. oct 2022

    Fixed

    • Various stability, functionality, and security fixes.

    Quote

    Security Vulnerabilities fixed in Firefox ESR 102.4

    Announced October 18, 2022
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 102.4

    #CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs

    Reporter James Lee
    Impact high
    Description

    A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries().

    References

    #CVE-2022-42928: Memory Corruption in JS Engine

    Reporter Samuel Groß
    Impact high
    Description

    Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash.

    References

    #CVE-2022-42929: Denial of Service via window.print

    Reporter Andrei Enache
    Impact moderate
    Description

    If a website called window.print() in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings.

    References

    #CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

    Reporter Mozilla developers and community
    Impact moderate
    Description

    Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v106.0

    18. oct 2022

    New

    • It is now possible to edit PDFs: including writing text, drawing, and adding signatures.

    • Setting Firefox as your default browser now also makes it the default PDF application on Windows systems.

    • You can now pin private windows to your Windows taskbar on Window 10 and Windows 11 for simpler access. Also, private windows have been redesigned to increase the feeling of privacy.

      Private browsing screenshot

    • Swipe-to-navigate (two fingers on a touchpad swiped left or right to perform history back or forward) now works for Linux users on Wayland.

    • Text Recognition in images allows users on macOS 10.15 and higher to extract text from the selected image (such as a meme or screenshot).

      Extracted text is copied to the clipboard in order to share, store, or search—without needing to manually retype everything.

      • This feature is compatible with “VoiceOver,” the built-in macOS
        screen reader.
      • For more information, check out our SUMO article.

      Text Regcognition feature on macOS screenshot

    • Firefox View” helps you get back to content you previously discovered. A pinned tab allows you to find and open recently closed tabs on your current device, access tabs from other devices (via our “Tab Pickup” feature), and change the look of the browser (with Colorways).

      Firefox View screenshot

    • With the launch of the “Independent Voices” collection, Firefox is introducing 18 new “Colorways.” You can now access a “Colorways” modal experience via “Firefox View”; each new color is accompanied with a bespoke graphic and a text description that speaks to its deeper meaning. The collection will be available through Jan 16.

      Colorways screenshot

    Fixed

    Web Platform

    • A major upgrade to our WebRTC capabilities (libwebrtc library upgraded from version 86 to 103) brings multiple improvements:

      • Better screen sharing for Windows and Linux Wayland users.
      • Lower CPU usage and increased frame rates during WebRTC screen capture on macOS.
      • RTP performance and reliability improvements.
      • Richer statistics.
      • Cross-browser and service compatibility improvements.

    Unresolved

    • We are investigating an increase in crashes reported by users with AMD Zen 1 CPUs (fixed in 106.0.1).

    • We are investigating hangs with Firefox installed from the Windows Store (fixed in 106.0.2).

    • We are investigating with Microsoft hangs experienced by Firefox users on Windows 11 version 22H2 triggered when performing certain copy actions on page content. Our support article provides a temporary workaround until we release a fix for this issue (fixed in 106.0.3).

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v105.0.2

    04. oct 2022

    Fixed

    • Fixed poor contrast on various menu items with certain themes on Linux systems (bug 1792063)

    • Fixed the scrollbar appearing on the wrong side of select elements in right-to-left locales (bug 1791219)

    • Fixed a possible deadlock when loading some sites in Troubleshoot Mode (bug 1786259)

    • Fixed a bug causing some dynamic appearance changes to not appear when expected (bug 1786521)

    • Fixed a bug causing theme styling to not be properly applied to sidebars for some add-ons in Private Browsing Mode (bug 1787543)

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v102.3.0 esr

    20. sept 2022

    Fixed

    • Various stability, functionality, and security fixes.

    Quote

    Security Vulnerabilities fixed in Firefox ESR 102.3

    Announced September 20, 2022
    Impact high
    Products Firefox ESR
    Fixed in
    • Firefox ESR 102.3

    #CVE-2022-3266: Out of bounds read when decoding H264

    Reporter Willy R. Vasquez at UT Austin
    Impact high
    Description

    An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash.

    References

    #CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages

    Reporter Armin Ebert
    Impact high
    Description

    During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments.

    References

    #CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads

    Reporter Armin Ebert
    Impact high
    Description

    Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash.

    References

    #CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix

    Reporter Axel Chong (@Haxatron)
    Impact moderate
    Description

    By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks.

    References

    #CVE-2022-40956: Content-Security-Policy base-uri bypass

    Reporter Satoki Tsuji
    Impact low
    Description

    When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead.

    References

    #CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64

    Reporter Gary Kwong
    Impact low
    Description

    Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.
    This bug only affects Firefox on ARM64 platforms.

    References

    #CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

    Reporter Mozilla developers and community
    Impact high
    Description

    Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

    References

    The Firefox/Mozilla Thread

    in Software

    Posted

    ff v105.0

    20. sept 2022

    New

    • Added an option to print only the current page from the print preview dialog.

    • Firefox now supports partitioned service workers in third-party contexts. You can register service workers in a third-party iframe and it will be partitioned under the top-level domain.

    • Swipe to navigate (two fingers on a touchpad swiped left or right to perform history back or forward) on Windows is now enabled.

    • Firefox is now compliant with the User Timing L3 specification, which adds additional optional arguments to the performance.mark and performance.measure methods to provide custom start times, end times, duration, and attached details.

    • Searching in large lists for individual items is now 2x faster. This performance enhancement replaces array.includes and array.indexOf with an optimized SIMD version.

    Fixed

    • Stability on Windows is significantly improved as Firefox handles low-memory situations much better.

    • Touchpad scrolling on macOS was made more accessible by reducing unintended diagonal scrolling opposite of the intended scroll axis.

    • Firefox is less likely to run out of memory on Linux and performs more efficiently for the rest of the system when memory runs low.

    • Various security fixes.

    Web Platform

    • Support for the Offscreen Canvas DOM API with full context and font support. The OffscreenCanvas API provides a canvas that can be rendered off-screen in both Window and Web Worker contexts.

    ublock users

    in Software

    Posted

    ublock v1.50.0

    github-actions released this

    07. Jun 2023

    Fixes / changes

    ublock users

    in Software

    Posted

    uBOLite_0.1.23.6055

    github-actions released this

    05. Jun 2023

    Release notes

    ublock users

    in Software

    Posted

    ublock v1.49.0

    github-actions released this

    18. Apr 2023

    Fixes / changes

    ublock users

    in Software

    Posted

    ublock v1.48.0

    github-actions released this

    21. Mar 2023

    New

    Readiness status at browser launch

    uBO's readiness at browser launch time is a particularly prickly issue on Chromium-based browsers,[1] especially more so since Chromium 110. This leads to numerous reports of "uBlock stopped working", which are simply caused by the fact that at launch time the browser started to load webpages before uBO was ready to filter properly (because the filter lists were not fully loaded in memory).

    To reduce the number of reports caused by this issue which is outside of uBO's control, uBO's toolbar icon will now reflect its readiness status at browser launch (i.e. make visible to users what has always been happening):

    1. A yellowish toolbar icon means that uBO is currently loading all filter lists into memory and as such is not ready to filter properly:
      Screenshot from 2023-03-18 12-50-34

    2. If additionally there is a yellowish ! badge while uBO is working toward readiness, this means network requests were fired by the browser which could not be processed by uBO, potentially leading to ads/trackers/etc. not being filtered in some of the already opened webpages:
      Screenshot from 2023-03-18 12-25-30

    3. Once uBO is ready to filter properly, a yellowish ! badge on a normally colored toolbar icon means that the current webpage was not filtered properly at browser launch, potentially causing the current webpage to be afflicted by ads/trackers/etc.:
      Screenshot from 2023-03-18 11-58-36

    4. To remediate the browser launch filtering issue on a given webpage, you can simply force a reload of that webpage, which as a result will bring back the badge to be rendered as expected:
      Screenshot from 2023-03-18 11-58-42

    For Chromium-based browsers, it is possible to automate step 4 above by checking the setting Suspend network activity until all filter lists are loaded in Filter lists pane in the dashboard. Caveat: in the past some users have reported this negatively interfered with page loading at browser launch time in some cases (example, example), hence why it is optional and not enabled by default in Chromium-based browsers.

    With Firefox-based browsers, you should typically only see step 1 and 4 above, unless you disabled the setting Suspend network activity until all filter lists are loaded, which is enabled by default in Firefox.

    [1] See uBlock Origin works best on Firefox / Browser launch

    Code viewer

    Investigating filter issues can be a serious time sink, and to help with this, a code viewer has been added to uBO. The code viewer will automatically beautify HTML/CSS/JS code, which should be an improvement over the browser built-in view-source tool.

    You can view beautified source code of HTML/CSS/JS resources when clicking the link in a logger entry. Additionally, if the advanced setting filterAuthorMode is set to true, an entry labelled View source code... will be added to the context menu, so that you can view the source code of any page/resource without having to open the logger.

    Fixes / changes

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept