Mozilla released a major update to its open-source browser on June 13 with the debut of Firefox 54 for Windows, macOS and Linux, providing users with improved performance and patches for 24 security issues.
Firefox 54 integrates the latest development from Mozilla’s effort to improve web page content processing—a multiprocess technology it calls Electrolysis (E10S). Mozilla has been publicly discussing E10S and bringing multiprocess web page rendering to Firefox since at least 2010 when Firefox 3.6 debuted. The E10S effort was delayed and deferred and got a new start in February 2013, though for end users, it is the new Firefox 54 release that will show the first big benefits of the technology.
“Going from Firefox 53 to 54 we transitioned from one process for all of your web page content to four content processes,” Nick Nguyen, vice president of product for Firefox at Mozilla, told eWEEK. “This is in addition to a separate process for the browser user interface and another for graphics compositing.”
The separate processes for the user interface and graphics is part of the Quantum Compositor that debuted in the Firefox 53 release in April.
E10S is set to further expand with the Firefox 56 release that is scheduled for September 2017.
“In Firefox 56 we will be introducing additional processes for Add-Ons (WebExtensions), which should improve the stability and startup performance for Firefox for users with Add-Ons installed,” Nguyen said. “We’ll continue iterating on our approach to utilizing processes in future releases, adjusting our approach as we get data on real-world performance.”
24 Security Updates
In addition to the E10S improvements in Firefox 54, Mozilla also patched its browser for 24 security vulnerabilities. Three of the vulnerabilities are rated by Mozilla as having critical impact, including two sets of memory safety bugs and a use-after-free (UAF) memory vulnerability.
Of note, there is also a pair of high-impact vulnerabilities patched in Firefox 54 that only impact Windows users. The CVE-2017-7755 vulnerability is a privilege escalation flaw triggered through the Firefox installer.
“The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run,” Mozilla warns in its advisory. “This allows privileged execution if the installer is run with elevated privileges.”
The CVE-2017-7760 vulnerability is also a privilege escalation issue, though it is triggered via a callback parameter in the Mozilla Windows Updater and Maintenance Service.
“The Mozilla Windows updater modifies some files to be updated by reading the original file and applying changes to it,” Mozilla’s security advisory explained. “The location of the original file can be altered by a malicious user by passing a special path to the callback parameter through the Mozilla Maintenance Service, allowing the manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service, which has privileged access.”