Firefox 102 fixes address bar spoofing security hole

1 month ago 14

This month’s scheduled Firefox release is out, with the caller 102.0 mentation patching 19 CVE-numbered bugs.

Despite the ample fig of CVEs, the patches don’t include immoderate bugs already being exploited successful the chaotic (known successful the jargon arsenic zero-days), and don’t see immoderate bugs labelled Critical.

Perhaps the astir important spot is the 1 for CVE-2022-34479, entitled: A popup model could beryllium resized successful a mode to overlay the code barroom with web content.

This bug allows a malicious website to make a popup model and past resize it to overwrite the browser’s ain code bar.

Fortunately, this code barroom spoofing bug lone applies to Firefox connected Linux; connected different operating systems, the bug seemingly can’t beryllium triggered.

As you know, the browser’s ain ocular components, including the paper bar, hunt bar, code bar, information alerts, HTTPS padlock icon and more, are meant to beryllium shielded from manipulation by untrusted web pages rendered by the browser.

These sacrosanct idiosyncratic interface components are known successful the jargon arsenic chrome (from which Google’s browser gets its name, successful lawsuit you were wondering).

Browser chrome is off-limits to web pages for evident reasons – to forestall bogus websites from misrepresenting themselves arsenic trustworthy.

This means that adjacent though phishing sites often reproduce the look-and-feel of a morganatic website with uncanny precision, they aren’t expected to beryllium capable to instrumentality your browser into presenting them arsenic if they were downloaded from a genuine URL.


Uncanny resemblance but fortunately the incorrect URL!
Side-by-side presumption of a caller scam targeting a South African bank

Image-based RCEs

Intriguingly, this month’s fixes includes 2 CVES that person the aforesaid bug title, and that licence the aforesaid information misbehaviour, adjacent though they’re different unrelated and were recovered by antithetic bug-hunters.

CVE-2022-34482 and CVE-2022-34482 are some headlined: Drag and driblet of malicious representation could person led to malicious executable and imaginable codification execution.

As the bug sanction suggests, these flaws mean that an representation record that you prevention to your desktop by dragging-and dropping it from Firefox could extremity up saved to disk with an hold specified arsenic .EXE alternatively of with the much guiltless hold you were expecting, specified arsenic .PNG oregon .JPG.

Given that Windows annoyingly (and wrongly, successful our opinion), doesn’t amusement you record extensions by default, these Firefox bugs could pb to you trustingly opening the record you conscionable dropped onto your desktop without ever being alert of its existent filename.

(If you prevention the record by much accepted means specified arsenic Right click > Save Image As…, the afloat filename, implicit with extension, is revealed.)

These bugs aren’t existent distant codification execution (RCE) vulnerabilities, fixed that an attacker needs to transportation you to prevention contented from a web leafage onto your machine and past to unfastened it up from there, but they bash marque it overmuch much apt that you would motorboat a malicious record by mistake.

As an aside, we powerfully urge that you archer Windows to amusement each record extensions, alternatively of secretly suppressing them, by changing the File sanction extensions enactment successful File Explorer.

Turning connected “Show record sanction extensions” connected Windows 11

Fixes for Follina!

Last month’s Big Bad Windows Bug was Follina, decently known arsenic CVE-2022-30190.

Follina was a nasty codification execution exploit whereby an attacker could nonstop you a booby-trapped Microsoft Office papers that linked to a URL starting with the characters ms-msdt:.

That papers would past automatically tally PowerShell codification of the attacker’s choice, adjacent if each you did was browse to the record successful Explorer with the preview pane turned on.

Firefox has weighed successful with further mitigations of its ain by fundamentally “disowning” Microsoft’s proprietary URL schemes starting with ms-msdt: and different perchance risky names, truthful they nary longer adjacent inquire you if you privation to process the URL:

The ms-msdt, search, and search-ms protocols present contented to Microsoft applications, bypassing the browser, erstwhile a idiosyncratic accepts a prompt. These applications person had known vulnerabilities, exploited successful the chaotic (although we cognize of nary exploited done Firefox), truthful successful this merchandise Firefox has blocked these protocols from prompting the idiosyncratic to unfastened them.

What to do?

Just sojourn Help > About Firefox to cheque what mentation you’re on – you’re looking for 102.0.

If you’re up-to-date past a popup volition archer you so; if not, the popup volition connection to commencement the update for you.

If you oregon your institution has stuck to the Firefox Extended Support Release (ESR), which includes diagnostic updates lone each fewer months but delivers information updates whenever needed, you’re looking for ESR 91.11.

Remember that ESR 91.11 denotes Firefox 91 with 11 updates’ worthy of information fixes, and due to the fact that 91+11 = 102, you tin easy archer that you’re level with the latest mainstream mentation arsenic acold arsenic information patches are concerned.

Linux and BSD users who person installed Firefox via their distro volition request to cheque with their distro for the needed update.


Read Entire Article