Mozilla published Firefox 93 to the stable channel this week, which includes various security enhancements such as stronger privacy safeguards, fixes, and anti-tracking tools.
Starting with Firefox 93, insecure HTTP downloads on encrypted (HTTPS) pages are blocked, protecting users from potentially unwanted or malicious downloads.
Because data delivered through HTTP isn’t encrypted, attackers who intercept it could not only read it but also change it. As a result, attackers might possibly replace files downloaded over HTTP with malicious ones, potentially compromising the entire system.
In Firefox 93, such insecure file downloads are now blocked, prompting the user to halt the download and remove the file, while simultaneously giving them the option to continue.
To prevent malicious material from initiating a drive-by download from the sandbox, the browser now also prevents downloads in sandboxed iframes. Firefox will block downloads unless the sandboxed content includes the ‘allow-downloads’ property.
Firefox has disabled 3DES, a popular encryption method that is nothing more than an adaption of the Data Encryption Standard, after banning older incarnations of the Transport Layer Security (TLS) protocol last year.
According to Mozilla, this is due to the fact that 3DES attacks have become more sophisticated, as well as the introduction of more efficient, stronger encryption algorithms that are already standardised and widely supported.
“As long as Firefox offers 3DES as an option, it creates a security and privacy risk. Because using this encryption technique is no longer necessary or prudent, Mozilla has deactivated it by default in Firefox 93.
Even if some newer servers use 3DES, the move is predicted to cause compatibility concerns. However, only outdated devices that are no longer supported are affected. As a result, if deprecated versions of TLS have been explicitly enabled, Firefox will allow the algorithm to be utilised.
Additional privacy enhancements in Firefox 93 include improved tracking protections thanks to a more complete SmartBlock version, which is available in Private Browsing and Strict Tracking Protection.
The third version of the intelligent tracker blocking method includes improved support for replacing Google Analytics scripts, as well as compatibility for prominent services like Amazon TAM, Criteo, Optimizely, and Google’s numerous advertising scripts.
Furthermore, the browser upgrade improves HTTP referrer safeguards, allowing Firefox to disregard less restrictive referrer restrictions for cross-site queries. When Firefox is updated to version 93, the Strict Tracking Protection and Private Browsing features are automatically enabled.
Mozilla also included a number of patches with Firefox 93, including four for high-severity vulnerabilities and three for moderate-severity security weaknesses. The most serious of these flaws could lead to the execution of arbitrary code.
Use-after-free bugs in the MessageTask and nsLanguageAtomService objects, a data race weakness in crossbeam-deque, memory safety mistakes, and a vulnerability where validation messages might have been superimposed on another origin are among the issues that have been rectified.
Firefox 93, Firefox Extended Support Release (ESR) 78.15, and Firefox ESR 91.2 were all updated to fix these security flaws.