The most recent full new model of Firefox is out, marking the primary of two “month-to-month” upgrades you’ll see this month.

Simply as there might be a blue moon in August 2023 (that’s the title utilized to a second full moon in the identical calendar month, somewhat than reference to an atmospheric phenomenon that makes the moon appear blue, in case you ever questioned), there might be a blue Firefox too.

Firefox model upgrades occur each 28 days, somewhat than as soon as a month, so each time a launch comes out early sufficient within the month, there might be a second improve squeezed in on the finish.

Teachable moments

Thankfully there are not any zero-day vulnerabilities this time, however the next bug studies caught our eye:

• CVE-2023-4045: Offscreen Canvas might have bypassed cross-origin restrictions. One webpage might peek at pictures displayed in one other web page from a unique web site. The identical-origin coverage in browsers is meant to limit the attain of HTML and JavaScript content material from web site X so it may possibly entry types, information, pictures, cookies and the like provided that they too initially got here from web site X. Any tips that may bypass this same-origin safety can theoretically be used to slurp up so-called cross-origin information that shouldn’t be accessible in any respect.
• CVE-2023-4047: Potential permissions request bypass by way of clickjacking. A rogue web page might tempt you to click on on a carefully-placed merchandise, comparable to a completely innocent-looking button, just for the enter to register as a click on in a safety dialog that didn’t pop up in time so that you can see. Doubtlessly dangerous permissions, comparable to accessing your location, sending notifications, activating the microphone and so forth, aren’t presupposed to be granted till you’ve seen and acted on a transparent warning from the browser itself.
• CVE-2023-4048: Crash in DOMParser because of out-of-memory situations. DOM is brief for doc object mannequin, and the DOMParser is the code that deconstructs the HTML in an online web page that the browser is rendering for show, turning it into an enormous JavaScript information object wherein all the person elements comparable to paragraphs, headings, pictures, desk gadgets and so forth might be accessed and modified programmatically. Advanced pages sometimes flip into giant JavaScript constructions that may take plenty of reminiscence to determine after which to retailer. Assume {that a} decided attacker might intentionally eat up reminiscence by loading a variety of giant however harmless pages, after which predictably set off a crash utilizing a crafted HTML file that will get fetched at simply the flawed time.
• CVE-2023-4050: Stack buffer overflow in StorageManager. That is an old-school stack overflow that doesn’t get detected in time by Firefox itself, and will due to this fact result in a crash as an alternative of a managed shutdown. All crashes brought on by the wrong stream of execution in a program (comparable to leaping to any invalid reminiscence deal with X) must be thought of doubtlessly exploitable. Assume {that a} decided attacker might work out the right way to affect the worth of X, and thereby achieve at the least some measure of malevolent management over the crash.
• CVE-2023-4051: Full display screen notification obscured by file open dialog. Fullscreen mode is all the time a bit dangerous, as a result of it offers the online web page you’re viewing exact management over each pixel on the display screen. Because of this there are not any components of the show that may be modified solely by the browser itself or solely by the working system. That’s why browsers goal to warn you earlier than giving over the entire show to an online web page, so you understand that popups that appear like official browser or working system dialogs could be no such factor.
• CVE-2023-4057 and CVE-2023-4058: Reminiscence security bugs mounted in varied Firefox variations. As regular, regardless that none of those bugs was clearly exploitable, they usually have been mounted proactively anyway, Mozilla has rated them “Excessive” and given its ever-frank evaluation that “we presume that with sufficient effort a few of these might have been exploited to run arbitrary code.”

What to do?

The brand new variations you might be searching for after updating are:

• Firefox 116 in case you’re on the newest model.
• Firefox ESR 115.1 if you’re a consumer of the Prolonged Assist Launch, which incorporates safety patches however doesn’t add new options. (Including 115+1 from the ESR model quantity tells you that this launch aligns with Firefox 116 for safety fixes, regardless that its characteristic set aligns with Firefox 115.)
• Thunderbird 115.1 in case you use Mozilla’s e mail software program, which incorporates the Firefox internet looking code for rendering HTML emails and viewing emailed internet hyperlinks.

Head to Firefox -> About Firefox if in case you have a Mac, or Assist -> About Firefox on different platforms.

Dont overlook, in case you use one of many BSDs or a Linux distro, that your Firefox launch could be managed by the distro itself, so examine together with your supplier for updates.