Mozilla announced the release of Firefox version 80.0 for all major platforms. In the release notes, the company highlights the many changes that have been brought to the popular browser. Such changes include making Firefox the primary PDF document reader for a system, accessibility options like reducing animations for those with epilepsy and migraines, and much more. There are, of course, the usual bug fixes that are to be expected with any major software update, including preventing screen crashes associated with the JAWS screen reader.
Of particular note, at least to those in the cybersecurity community, are the various security fixes found in Firefox version 80.0. As described in a separate page dedicated to the security fixes, here are some of the most significant fixes to the Firefox browser:
- A severe memory corruption bug (CVE-2020-15670) that was able to run arbitrary code via unauthorized users.
- Specific to the Windows operating system, (CVE-2020-15663) allowed for administrative privilege escalation if updater.exe was executed from the install location.
- (CVE-2020-15664) could have caused malicious browser extension installation. The cause was “holding a reference to the eval() function from an about:blank window” and accessing the InstallTrigger object.
- An electromagnetic side-channel attack could occur during signature generation thanks to (CVE-2020-6829). The attack was made possible due to EC scalar point multiplication leading to the wNAF point multiplication algorithm leaking “partial information about the nonce used during signature generation.”
These are just a small amount of the many exploitable vulnerabilities fixed in Firefox version 80.0. For those in the cybersecurity field, it may be a wise decision to read over the full bug fix report for yourself. If you are a Firefox user and have not yet done so, update to version 80.0 as soon as you can. The mix of new features and security fixes should not be ignored if this is your browser of choice.
