Mozilla Improves Web Browser Security in Firefox 66 Update

Ahead of Pwn2Own, Mozilla released 21 security advisories for flaws that have now been fixed in the open-source web browser.

Firefox 66

Mozilla released the Firefox 66 update on March 19, providing users of the open-source web browser with new features that enhance user experience and improve security.

Among Firefox 66's new features is one that blocks websites from auto-playing sound, which can be an annoyance. Also, the search feature within the browser has been improved with enhanced capability to search across multiple open tabs on a user's system. Additionally, security gets a boost in the new browser release with patches for multiple vulnerabilities and an expansion of the number of web content loading processes.

"We are working to ensure Firefox users continue to experience best-in-class security and performance," Eric Smyth, product manager of performance at Firefox, told eWEEK. "Doubling content processes from 4 to 8 will allow you to open more web pages more securely without significantly changing how much memory Firefox uses."

Smyth added that expanding the number of web content loading processes is part of Mozilla's ongoing work to create a browser that is more secure and resilient to security threats. The new release follows Firefox 65, which was released on Jan. 29, integrating improved privacy controls into the web browser.

With Firefox 66, Mozilla has also improved the way it shows security warnings in the browser to better help users understand risk. Among the warnings that have changes are SSL/TLS certificate error pages. Rather than simply identifying to a user that a given connection is not secure due to an SSL/TLS issue, the new warnings now state that a potential security risk is present and informs users of what steps they can take.

WebAuthn Support

Firefox 66 includes support for the new WebAuthn standard based on the FIDO2 protocols, which provide strong authentication capabilities without the need for a password. WebAuthn is an evolution of the FIDO Alliance standards for strong authentication that have been supported in Firefox for several years.

"As of today, Firefox users on the Windows Insider Program’s fast ring can use any authentication mechanism supported by Windows for websites via Firefox," J.C. Jon, cryptography engineering lead for Firefox at Mozilla, wrote in a blog post. "That includes face or fingerprint biometrics, and a wide range of external security keys via the CTAP2 protocol from FIDO2, as well as existing deployed CTAP1 FIDO U2F-style security keys."

Scroll Anchoring

A common experience for many visiting a web page is having the content "jump" ahead as slow loading graphics and other media elements push content. In Firefox 66, Mozilla is integrating a web property for scroll anchoring that will provide for smoother scrolling and prevent content from jumping as new content is loaded on a given page.

Scroll anchoring is achieved with the use of a new draft web specification from the W3C.

"Changes in DOM elements above the visible region of a scrolling box can result in the page moving while the user is in the middle of consuming the content," the draft scroll anchoring specification states. "This spec proposes a mechanism to mitigate this jarring user experience by keeping track of the position of an anchor node and adjusting the scroll offset accordingly."

Security Updates

In Firefox 66, Mozilla is also providing 21 security patches for vulnerabilities. The timing of the new security updates comes just ahead of the annual Pwn2Own hacking competition, which gets underway on March 20, where Firefox is a target. At Pwn2Own, researchers are awarded cash prizes for disclosing new zero-day vulnerabilities in software.

Five of the patched vulnerabilities in Firefox 66 are rated by Mozilla as having critical impact. Among the critical vulnerabilities are multiple use-after-free and memory safety issues (CVE-2019-9790 and CVE-2019-9788). Researcher Samuel Groß of Google Project Zero is credited by Mozilla with reporting an additional pair of critical issues (CVE-2019-9791 and CVE-2019-9792) within Firefox's IonMonkey just-in-time (JIT) compiler.

"The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout," Mozilla warned in a security advisory. "This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.