Firefox 133 Released With Fix For Multiple Security Vulnerabilities

   November 27, 2024  Posted in CyberSecurityNews


Mozilla has officially launched Firefox 133.0, introducing a host of new features, performance improvements, and critical security fixes.

The release, first offered to the Release channel on November 26, 2024, brings significant advancements in privacy protection, developer tools, and overall browser functionality.

This new release also addresses several security vulnerabilities to enhance user safety.

One of the most notable additions in Firefox 133 is the Bounce Tracking Protection feature, now available in Enhanced Tracking Protection’s “Strict” mode.

Apart from this, analysts at Mozilla observed that this privacy-focused tool detects bounce trackers—websites that redirect users to track their behavior—and periodically purges their cookies and site data, effectively blocking tracking attempts.

Firefox 133 Released With Fix For Multiple Security Vulnerabilities
Tab overview (Source – Mozilla)
  • Improved Tab Management: Users can now open the sidebar to view tabs from other devices directly via the Tab overview menu.
  • Performance Boost on Windows: GPU-accelerated Canvas2D is enabled by default, offering better rendering performance.
  • Enhanced Picture-in-Picture (PiP): The “auto-open on tab switch” feature from Firefox Labs now works more reliably across various websites, automatically opening relevant videos while ignoring others.
  • Cookie Handling Improvements: When server time is available, the “expire” attribute value is adjusted by accounting for server-local time differences. This ensures cookies remain valid even if the local time is set incorrectly.
  • Developer Tools Updates:
  • Support for the keepalive option in the Fetch API allows HTTP requests to persist during page navigation or closure.
  • The Permissions API is now supported in Worker Context.
  • New methods on UInt8Array enable easier conversion to and from Base64 and hexadecimal encodings.
  • Added support for image decoding as part of the WebCodecs API, enabling image decoding on both main and worker threads.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Security Vulnerabilities Addressed

Firefox 133 resolves multiple security vulnerabilities identified in Mozilla Foundation Security Advisory 2024-63. Below is a comprehensive list of the CVEs fixed in this release:

  1. CVE-2024-11691: A high-impact out-of-bounds write in Apple GPU drivers via WebGL on Apple silicon M series devices, leading to memory corruption.
  2. CVE-2024-11700: A moderate tapjacking exploit on Android that could trick users into approving unintended actions.
  3. CVE-2024-11692: Select list elements could be displayed over another site, potentially causing confusion or spoofing attacks.
  4. CVE-2024-11701: Misleading address bar state during navigation interruptions could result in spoofing attacks.
  5. CVE-2024-11702: Inadequate clipboard protection in Private Browsing Mode on Android could expose sensitive information to cloud-based clipboard history.
  6. CVE-2024-11693: Download protections were bypassed by .library-ms files on Windows, allowing malicious files to execute without warnings.
  7. CVE-2024-11694: A CSP bypass and XSS exposure via Web Compatibility shims in Enhanced Tracking Protection’s Strict mode.
  8. CVE-2024-11695: URL bar spoofing using manipulated Punycode and whitespace characters could hide a page’s true origin.
  9. CVE-2024-11703: A PIN bypass vulnerability on Android allowed unauthorized access to saved passwords.
  10. CVE-2024-11696: Unhandled exceptions during add-on signature verification could disrupt validation processes, potentially bypassing signature enforcement.
  11. CVE-2024-11697: Improper keypress handling allowed attackers to bypass executable file confirmation dialogs.
  12. CVE-2024-11704: A double-free vulnerability during PKCS#7 decryption handling could lead to memory corruption.
  13. CVE-2024-11698: Fullscreen lock-up issues occurred when modal dialogs interrupted transitions on macOS.
  14. CVE-2024-11705 & CVE-2024-11706: Null pointer dereferences in cryptographic utilities caused crashes under specific conditions.
  15. CVE-2024-11708: A data race issue with PlaybackParams due to missing thread synchronization primitives.
  16. CVE-2024-11699: Memory safety bugs presumed exploitable for arbitrary code execution were resolved.

For enterprise users, Firefox 133 includes updates to policies and bug fixes tailored to organizational needs. Details can be found in the Firefox for Enterprise 133 Release Notes.

Firefox 133 continues Mozilla’s commitment to delivering a secure, fast, and privacy-focused browsing experience while addressing critical vulnerabilities across platforms.

Users are encouraged to update their browsers immediately to benefit from these improvements and protections.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar



Source link