Firefox 76 Brings Security Patches, Breached Password Alerts
Mozilla this week released Firefox 76 to the stable channel with an updated password manager, alerts for breached passwords, and patches for 11 vulnerabilities.
Starting with the new release, the browser aims to help users better keep their accounts secure and easily generate strong passwords, courtesy of the new Firefox Lockwise password manager.
On shared devices, the feature keeps passwords secure by prompting users for their account password before making saved logins available to them. Furthermore, the credentials are made available for five minutes only, Mozilla says.
The Lockwise dashboard, the browser maker explains, is powered by Firefox Monitor, which alerts users when their credentials were part of a data breach.
Firefox alerts users when one of the passwords they use is identical with a password that has been compromised, but also when the username and password were part of a breach (additional details about the breach are also included).
“Don’t worry, Firefox doesn’t know your actual passwords. This new feature automatically checks your encrypted list of passwords against the breached website information, helping you to stay on top of your online accounts that may have been compromised,” Mozilla explains.
The organization also points out that users can now leverage Firefox Lockwise to generate passwords of a minimum of 12 random letters, numbers and symbols.
Furthermore, Mozilla has made Firefox Lockwise available for iOS and Android as well, allowing users to access their passwords while on the go and easily sync their logins.
Firefox 76 also arrived with patches for 11 vulnerabilities, including three assessed with a critical severity rating.
The first of the critical bugs is a use-after-free during worker shutdown (CVE-2020-12387), which could lead to an exploitable crash, the second is a sandbox escape (CVE-2020-12388) that impacts Windows only, while the third (CVE-2020-12395) refers to memory safety bugs in both Firefox 75 and Firefox ESR 68.7.
The new browser release also patches three high severity issues (CVE-2020-12389 – sandbox escape; CVE-2020-6831 – buffer overflow; and CVE-2020-12396 – memory safety bugs), four moderate risk bugs (CVE-2020-12390 – incorrect serialization; CVE-2020-12391 – Content-Security-Policy bypass; CVE-2020-12392 – arbitrary local file access; CVE-2020-12393 – potential command injection), and one low severity issue (CVE-2020-12394 – URL spoofing in location bar when unfocussed).
This week, Google too released an update for its Chrome browser, to address a total of three vulnerabilities, including two reported by external researchers. Both of these bugs are high severity issues: CVE-2020-6831 – a stack buffer overflow in SCTP, and CVE-2020-6464 – type confusion in Blink.