Firefox fixes fullscreen fakery flaw – get the update now!

Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month.

(As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times it’s had security updates since then, which you can reocncile this month by noticing that 102+5 = 107.)

Fortunately, there are no zero-day patches this time – all the vulnerabilities on the fix-list were either responsibly disclosed by external researchers, or found by Mozilla’s own bug hunting team and tools.

Font entanglement

The highest severity level is High, which applies to seven different bugs, four of which are memory mismanagement flaws that could lead to a program crash, including CVE-2022-45407, which an attacker could exploit by loading a font file.

Most bugs relating to font file usage are caused by the fact that font files are complex binary data structures, and there are many different file formats that products are expected to support.

This means that font-related vulnerabilities usually involve feeding a deliberately booby-trapped font file into the browser so that it goes wrong trying to process it.

But this bug is different, because an attacker could use a legitimate, correctly-formed font file to trigger a crash.

The bug can be triggered not by content but by timing: when two or more fonts are loaded at the same time by separate background threads of execution, the browser may mix up the fonts it’s processing, potentially putting data chunk X from font A into the space allocated for data chunk Y from font B and thereby corrupting memory.

Mozilla describes this as a “potentially exploitable crash”, although there is no suggestion that anyone, let alone an attacker, has yet figured out how to build such an exploit.

Fullscreen considered harmful

The most interesting bug, at least in our opinion, is CVE-2022-45404, described succintly simply as a “fullscreen notification bypass”.

If you’re wondering why a bug of this sort would justify a severity level of High, it’s because giving control over every pixel on the screen to a browser window that is populated and controlled by untrusted HTML, CSS and JavaScript…

…would be surprisingly handy for any treacherous website operators out there.

We’ve written before about so-called Browser-in-the-Browser, or BitB, attacks, where cybercriminals create a browser popup that matches the look and feel of an operating system window, thus providing a believable way of tricking you into trusting something like a password prompt by passing it off as a security intervention by the system itself:

One way to spot BitB tricks is to try dragging a popup you’re not sure about out of the browser’s own window.

If the popup remains corralled inside the browser, so you can’t move it to a spot of its own on the screen, then it’s obviously just part of the web page you’re looking at, rather than a genuine popup generated by the system itself.

But if a web page of external content can take over the entire display automatically without provoking a warning beforehand, you might very well not realise that nothing you see can be trusted, no matter how realistic it looks.

Sneaky crooks, for example, could paint a fake operating system popup inside a fake browser window, so that you could indeed drag the “system” dialog anywere on the screen and convince yourself it was the real deal.

Or the crooks could deliberately display the latest pictorial background (one of those Like what you see? images) chosen by Windows for the login screen, thus providing a measure of visual familiarity, and thereby trick you into thinking that you had inadvertently locked the screen and needed to reauthenticate to get back in.

We’ve deliberately mapped the otherwise unused but easy-to-find PrtSc key on our Linux laptop to lock the screen instantly, reinterpreting it as a handyProtect Screen button intead of Print Screen. This means we can reliably and rapidly lock the computer with a thumb-tap every time we walk or turn away, no matter how briefly. We don’t press it unintentionally very often, but it does happen from time to time.

What to do?

Check that you’re up to date, which is a simple matter on a laptop or desktop computer: Help > About Firefox (or Apple Menu > About) will do the trick, popping up a dialog that tells you if you are current or not, and offering to get the latest version if there’s a new one you haven’t downloaded yet.

On mobile devices, check with the app for the software marketplace you use (e.g. Google Play on Android and the Apple App Store on iOS) for updates.

(On Linux and the BSDs, you may have a Firefox build that is provided by your distro; if so, check with your distro maintainer for the latest version.)

Remember, even if you have automatic updating turned on and it usually works reliably, it’s worth checking anyway, given that it only takes a few seconds to make sure nothing went wrong and left you unprotected after all.