Mozilla fixes high‑risk Firefox flaws, bug in DoH feature

Mozilla fixes high‑risk Firefox flaws, bug in DoH feature

The browser maker rolls out updates on back-to-back days, including a patch to avoid unintentionally overloading DNS providers

The Mozilla team has had a productive few days, having issued a update to Firefox only a day after releasing the web browser’s latest major version that plugged eight CVE-listed security holes.

First, Tuesday saw the rollout of Firefox 77.0 into the stable channel for Windows, macOS and Linux. The new version was shipped with a bunch of new features and improvements, as well as important security fixes.

Five vulnerabilities received a high-severity score, with three of them allowing bad actors to run arbitrary code on vulnerable installations. In Mozilla’s own words, a flaw classified as high in severity “can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions”.

Some of those vulnerabilities also affected the browser’s ESR version, which is intended for large organizations and for which a new build (ESR 68.9) was also released on Tuesday. The update round also plugged two flaws rated as moderate and one low-risk vulnerability.

The full list of the CVEs – uncovered by an assortment of experts, including Mozilla’s own developers, academics from Finland, and independent researchers – is available in Mozilla’s latest security advisories for Firefox and for Firefox ESR, respectively. Importantly, as of the time of releasing the update none of the flaws had been spotted as being abused in ..