Both Mozilla and Google have updated their browsers this week and have added important security fixes along with bolstering user privacy and safety.
Google tackled 53 security fixes on Wednesday with the debut of Chrome 64 (version 64.0.3282.119) for Windows, Mac and Linux. Only three of the vulnerabilities patched are rated high with 13 ranked medium in severity. Most notable is a patch to protect against the web-exploitable Spectre CPU vulnerability. Google did not offer an in-depth analysis of this patch, only stating “this release contains additional mitigations against speculative side-channel attack techniques.”
One of high-severity vulnerabilities (CVE-2018-6031) is tied to Google’s problem-plagued Chrome default PDF viewer, called PDFium. Two additional vulnerabilities rated high were also patched. One (CVE-2018-6032) is only described as a “same origin bypass in shared worker” vulnerability and the other (CVE-2018-6033) is a “race when opening downloaded files” bug.
In addition to fixes, Google also introduced security features with Chrome 64, originally part of the beta version of the browser, introduced last month. Those features include a “stronger” pop-up blocker that targets swatting down “links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows,” Google said.
Google has also introduced a developer Abusive Experiences Report tool, available in the Google Search Console, that allows site owners to check if any “abusive experiences” have been found on their sites.
Mozilla Adds Always-On Ban on Web Tracking
Mozilla fixed two critical bugs in Firefox with the release of Firefox 58 Quantum, introduced on Tuesday. Also patched were eight vulnerabilities rated high. One of the most serious bugs is a critical “memory safety” flaw (CVE-2018-5089) that “with enough effort” could allow a hacker exploit the vulnerability and run arbitrary code on targeted devices.
A second critical use-after-free Firefox bug was also patched by Mozilla Firefox. According to Mozilla’s Security Advisory, the bug (CVE-2018-5091) is tied to the browser’s DTMF feature. DTMF, or Dual-tone multi-frequency signaling, describes a Firefox component that uses “touch tones” within the browser’s WebRTC framework that can be used to initiate calls to a legacy telephone network that rely on DTMF.
“A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash,” according to the Security Advisory.
The patches also apply to the Firefox Extended Support Release (ESR) 52.6 browser, also updated Tuesday.
The latest version of Firefox 58 Quantum (for Windows, Linux and macOS) introduces a bevy of performance enhancements, building off Firefox’s original introduction of the Quantum browser in November. Part of those speed enhancements are tied to banning advertisers from collecting data on users while they browse the internet. Mozilla says ad tracking cuts browser speeds in half.
“When you browse from site to site, you’re often followed by scripts that collect data on where you’ve been and what you’ve done. These scripts can eat up your data, slow down your internet experience and make you see ads for things you may or may not want to admit you looked for when you went down one of those ‘suggested items’ rabbit holes. We found that when Private Browsing with Tracking Protection is on, Firefox is significantly faster than Chrome, even in Incognito mode,” Mozilla said.
To speed up Firefox 58, you can now block ad-tracking in Firefox all the time, not just in Firefox Private Browsing mode.