Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs
In addition to beginning the QUIC and HTTP/3 roll-out, Firefox 88 has a number of other improvements in tow. Firefox 88 now supports PDF forms that have JavaScript embedded in PDF files... Apparently JS in PDF is a thing for form validation and other interactive elements. Firefox 88.0 on Linux also now supports smooth pinch-zooming using a touchpad, various security improvements, and FTP support has been disabled ahead of its complete removal coming in the near future. The complete removal of FTP support is expected to happen for Firefox 90.
Related: Mozilla Firefox's PDF Reader Exploit Can Steal Files
Firefox 83 Released; Mozilla Kicks Rusty "Servo" Web Engine to the Linux Foundation
Firefox 87 Adds Stronger User Privacy Protections
Related Stories
Mozilla Firefox's PDF Reader has a vulnerability that can "violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer."
Mozilla Security Blog has further details:
Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the "same origin policy") and Firefox's PDF Viewer. Mozilla products that don't contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don't know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with "pass" and "access" in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.
The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.
Firefox 83 Released With Warp'ed JavaScript, HTTPS-Only Mode Option
Most notable with Firefox 83 is the SpiderMonkey "Warp" upgrade aiming to deliver better website responsiveness and other real-world JavaScript performance improvements. Mozilla describes the Warp benefits as "improved page load performance by up to 15%, page responsiveness by up to 12%, and reduced memory usage by up to 8%. We have replaced part of the JavaScript engine that helps to compile and display websites for you, improving security and maintainability of the engine at the same time."
Firefox 83 also ships with an option for an HTTPS-only mode whereby every Firefox connection aims to be secure and will warn the user should HTTPS not be supported.
Mozilla Punts Servo Web Engine Development To The Linux Foundation
Ever since the mass layoffs at Mozilla earlier this year and some Mozilla projects in jeopardy many have been wondering: what about Servo? Well, today it's heading off to the Linux Foundation.
Mozilla and the Linux Foundation are jointly announcing this morning that the Servo web engine development will now be hosted by the Linux Foundation.
The Rust-written code-base that's served as a long in development "next-gen" web engine at Mozilla will now be developed under the Linux Foundation umbrella. Besides Mozilla, this move has the support of other industry stakeholders like Samsung and Let's Encrypt.
See also: Firefox 84 Beta Begins Enabling WebRender By Default On Linux
Chrome 87 Released With More Performance Improvements
Google Is Already Experimenting With WebP2 As Successor To WebP Image Format
Previously: Mozilla Lays Off 250, Including Entire Threat Management Team
Following Layoffs, Mozilla and Core Rust Developers Are Forming a Rust Foundation
Firefox 87 Adds Stronger User Privacy Protections:
Mozilla today announced the release of Firefox 87 in the stable channel fitted with a new intelligent tracker blocking mechanism.
Called SmartBlock, the feature works in Firefox Private Browsing and Strict Mode and is meant to improve users' browsing experience through fixing pages that Mozilla's tracking protections break.
[...] "To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock. SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy," Mozilla announced.
To improve user experience, SmartBlock provides local stand-ins for the third-party tracking scripts that are blocked. Designed to "behave just enough like the original ones," these scripts ensure that websites load and that their functionality is intact.
With the SmartBlock stand-ins bundled with Firefox, no third-party tracking content is loaded, thus fully preventing potential tracking attempts. SmartBlock automatically replaces specific common scripts that are classified as trackers on the Disconnect Tracking Protection List.
The new browser release also brings along a stricter, more privacy-focused Referrer Policy, where the browser, by default, "will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data."
[...] Firefox 87 sets the default Referrer Policy to 'strict-origin-when-cross-origin', meaning that user sensitive information that is accessible in the URL will always be trimmed, for all "navigational requests, redirected requests, and subresource (image, style, script) requests." The new policy will be enforced automatically upon updating to Firefox 87.
(Score: 0) by Anonymous Coward on Tuesday April 20, @08:45PM (2 children)
(Score: 2) by takyon on Tuesday April 20, @08:51PM
Hahah.
https://hacks.mozilla.org/2021/04/never-too-late-for-firefox-88/ [mozilla.org]
One day off.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by driverless on Tuesday April 20, @09:35PM
Yup, otherwise why would they have implemented:
In other words there's now a third huge scriptable exploit vector in the PDF rendering alongside the Postscript and font embedding. Can't let Adobe stay ahead in terms of code vulnerabilities.
(Score: 3, Informative) by fakefuck39 on Tuesday April 20, @09:02PM (2 children)
Because you can type an ftp address into windows explorer or any file manager on linux, and it shows up as regular files and folders, with full shell integration, like drag and drop to other folders. Windows has been able to do that since 1997, and Linux file managers finally caught up ~10-15 year later. I'm surprised it's stayed around in FF for even that long.
Here's a fun tit-bid from a year ago: they were going to kill it last year, but delayed because of covid. waaaaaat..
https://blog.mozilla.org/addons/2020/04/13/what-to-expect-for-the-upcoming-deprecation-of-ftp-in-firefox/ [mozilla.org]
(Score: 0) by Anonymous Coward on Tuesday April 20, @09:15PM (1 child)
Mostly people that would get directed to an FTP site from a website when looking for files.
(Score: 3, Informative) by fakefuck39 on Tuesday April 20, @09:27PM
Well, that's a "technically yes" - but I wouldn't consider that "using FF for ftp." That's firefox not launching the proper protocol handler for ftp, as defined in the operating system. So yes, they were using firefox for ftp, because firefox hijacked the OS protocol handler for ftp.
Since pdf is another change given in the article, let me give that as an example. You have acrobat installed, because your organization uses full featured government-compliant pdf functionality, only certified for use with adobe's product. you have adobe reader associated with pdf files. you click the pdf link on a web page. instead of passing the file to adobe, as defined by your OS, it opens it in the browser, ignoring your choice. does that mean you're using firefox to view pdf? yes. but also no.
did jews live in concentration camps? yes. but no, jews were not using concentration camps for their residencies.
(Score: 0) by Anonymous Coward on Tuesday April 20, @09:13PM
Hey!! I use FireFox ftp on a couple of trusted sites, it's worked great for many years:
+ The "data source" sends out an email to the "data users" (including me) with ftp links.
+ I click on them directly in my webmail, a new blank FF tab opens and the file download happens.
+ The "data source" takes the files down after a day or two.
+ Profit!!!
Now I suppose I'm going to have to go and find some ftp software to use. But not just yet...because I'm on FF esr, so it will be awhile before my version catches up with the main releases.
(Score: 1, Informative) by Anonymous Coward on Tuesday April 20, @09:20PM
pdfjs.enablescripting false