Heard of cricket (the sport, not the insect)?
It’s much like baseball, except that batters can hit the ball wherever they like, including backwards or sideways; bowlers can hit the batter with the ball on purpose (within certain safety limits, of course – it just wouldn’t be cricket otherwise) without kicking off a 20-minute all-in brawl; there’s almost always a break in the middle of the afternoon for tea and cake; and you can score six runs at a time as long as you hit the ball high and far enough (seven if the bowler makes a mistake as well).
Well, as cricket enthusiasts know, 111 runs is a superstitious score, considered inauspicious by many – the cricketer’s equivalent of Macbeth to an actor.
It’s known as a Nelson, though nobody actually seems to know why.
Today therefore sees Firefox’s Nelson release, with version 111.0 coming out, but there doesn’t seem to be anything inauspicious about this one.
Eleven individual patches, and two batches-of-patches
As usual, there are numerous security patches in the update, including Mozilla’s usual combo-CVE vulnerability numbers for potentially exploitable bugs that were found automatically and patched without waiting to see if a proof-of-concept (PoC) exploit was possible:
- CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9. These bugs were shared between the current version (which includes new features) and the ESR version, short for extended support release (security fixes applied, but with new features frozen since version 102, nine releases ago).
- CVE-2023-28177: Memory safety bugs fixed in Firefox 111 only. These bugs almost certainly only exist in new code that brought in new features, given that they didn’t show up in the older ESR codebase.
These bags-of-bugs have been rated High rather than Critical.
Mozilla admits that “we presume that with enough effort some of these could have been exploited to run arbitrary code”, but no one has yet figured out how to do so, or even if such exploits are feasible.
None of the other eleven CVE-numbered bugs this month were worse thah High; three of them apply to Firefox for Android only; and no one has yet (so far as we yet know) come up with a PoC exploit that shows how to abuse them in real life.
Two notably interesting vulnerabilities appear amongst the 11, namely:
- CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab. With this bug, if you opened a local file (such as downloaded HTML content) that wanted access, say, to your webcam, then any other local file you opened afterwards would magically inherit that access permission without asking you. As Mozilla noted, this could lead to trouble if you were looking through a collection of items in your download directory – the access permission warnings you’d see would depend on the order in which you opened the files.
- CVE-2023-28163: Windows Save As dialog resolved environment variables. This is another keen reminder to sanitise thine inputs, as we like to say. In Windows commands, some character sequences are treated specially, such as
%USERNAME%, which gets converted to the name of the currently logged-on user, or
%PUBLIC%, which denotes a shared directory, usually in
C:\Users. A sneaky website could use this as a way to trick you into seeing and approving the download of a filename that looks harmless but lands in a directory you wouldn’t expect (and where you might not later realise it had ended up).
What to do?
Most Firefox users will get the update automatically, typically after a random delay to stop everyone’s computer downloading at the same moment…
…but you can avoid the wait by manually using Help > About (or Firefox > About Firefox on a Mac) on a laptop, or by forcing an App Store or Google Play update on a mobile device.
(If you’re a Linux user and Firefox is supplied by the maker of your distro, do a system update to check for the availability of the new version.)
6 comments on “Firefox 111 patches 11 holes, but not 1 zero-day among them…”
Admiral Nelson, who died during the Battle of Trafalgar in 1805, had one arm, one leg and one eye hence the cricket score 111 being given that name.
Except that he *didn’t* have one leg.
He lost the sight in one eye and had one arm amputated, but he had two legs. Therefore that explanation can’t be right (though I have heard it many times).
I’m sure I’m not going to be the only person to wonder this, and I know from experience that your linguistic pedigree far outclasses anything I thought I knew about the English language, but… unauspicious? Even my browser is underlining it in red!
I’ve heard of inauspicious, but clearly, if you’re in a good mood, I’m going to learn something new (-:
I will boot up my Mac and check with my chums at the New Oxford American Dict and the Oxford Dict of English…
…hmmm. Bad news for me.
I was aware of “inauspicious” and was going to use it, but decided I preferred the sight and sound of “unauspicious”. So I convinced myself it was an acceptable alternative, and used it with some zeal in the article, the strapline and the tweet generated by publishing the article.
(Words starting with with in- can be annoying because we sometimes use it as a negative prefix, as in “inauspicious” and sometimes as an ultra-positive intensifier, as in “inflammable”, a word so much at odds with itself that the Anglophone world settled on “flammable” and “non-flammable” in official usage, to avoid dangerous confusion.)
But neither of the Oxford Dict editions at my disposal will admit of “unauspicious”, so I did indeed get it wrong, albeit inuntentionally.
I’ve changed it in the article. (The tweet will have to stay put. If anyone notices I will claim it was a neologism and say they are welcome to borrow it.)
Wow. Thanks for this. I’ll update Firefox, weep for the demise of baseball, promise never to use “inauspicious” in a sentence, and try to clear my head of the image of Charles Laughton – the only guy I ever see in British historical images – stumbling around with one leg, one arm, and one eye. I want you to know you’ve scarred me for life.