Firefox 88 – Firefox ESR 78 – Thunderbird 78 – Critical issue fixed

Mozilla has released version 74.0 of Firefox for Windows, Linux and macOS. The biggest change that the developers have made to the popular web browser is also the least surprising: TLS versions 1.0 and 1.1, which are considered unsafe, will no longer be supported in the future. In addition, there are minor updates that should ensure more security and privacy when surfing. Firefox 74.0 also has security fixes on board: Among other things, they are supposed to close five critical loopholes.

When surfing websites that do not support at least version 1.2 of the Transport Layer Security (TLS) encryption protocol, users will in future receive an error message. The developers announced the cancellation of support for the outdated protocol versions in October 2018 for March 2020. The competition has also had the same plans for a long time. Google wants to ban TLS 1.0 and 1.1 from its soon-to-be-released Chrome 81. Microsoft has announced the same step for its browsers Internet Explorer and Edge somewhat vaguely “for the first half of 2020”. Both Firefox and Chrome have been showing warning messages for weakly encrypted connections for a long time.

Using the add-ons manager (about: addons), users should be able to easily uninstall extensions that were previously installed by external applications. In addition, installations “bypassing the user” should no longer be possible in the future for security reasons. The release notes for Firefox 74.0 contain other minor security-specific changes. Among other things, users are offered the anti-tracking add-on “Facebook Container” after installing the new browser version. A technique called “mDNS ICE” aims to improve privacy for voice and video calls by disguising one’s own IP address in certain scenarios with a random ID.

As usual, the Mozilla developers have listed the security fixes made in a separate security advisory. Five closed loopholes with a “high” risk rating (CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6814, CVE-2020-6815) could have been abused by attackers under certain conditions to remotely execute arbitrary code or to provoke “potentially exploitable crashes”. There are also six fixed gaps with “Moderate” – and one with “Low” classification.

Source: Heise