Firefox Quantum: Security and privacy improvements

Mozilla has released Firefox 57, aka Firefox Quantum, and it comes with many performance improvements.

Firefox Quantum security

It sports a new browsing engine that takes full advantage of the processing power in modern devices, AMD VP9 hardware video decoder support for improved video playback with lower power consumption, and a cleaner and faster user interface with optimizations for touch screens.

Security fixes and improvements

From now on, Firefox will support extensions built using the WebExtension API, a cross-browser system for developing extensions, and will no longer support legacy extensions.

“In the past, extensions often stopped working each time a new version of Firefox was released, because developers had to update them every six weeks to keep them compatible. Since extensions could also modify Firefox internal code directly, it was possible for bad actors to include malicious code in an innocent-looking extension,” Mozilla explained.

“To address these issues, and as part of broader efforts to modernize Firefox as a whole, we’ve transitioned to a new framework for developing Firefox extensions. Extensions created with the new standard are safer, more secure, and won’t break in new Firefox releases. A majority of the most popular add-ons are already compatible, so most users should not notice any changes.”

Secondly, Firefox Quantum comes with tightened sandbox security on Linux.

And, finally, Tracking Protection can now be enabled for regular browsing windows.

Firefox Quantum security

“Private Browsing with Tracking Protection in Firefox for Windows, Mac, Android and Linux actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites,” Nick Nguyen, VP, Firefox Product, explained.

“We’re also introducing a new Control Center in Firefox that contains site security and privacy controls in a single place in your address bar. Since some Web pages may appear broken when elements that track behavior are blocked, we’ve made it easy to turn off Tracking Protection in Private Browsing for a particular site using the Control Center.”

Security fixes

The security fixes shipped with this newest Firefox version include:

  • 27 unspecified memory safety bugs, some of which could likely be exploited by attackers to run arbitrary code
  • One critical use-after-free vulnerability that could lead to a potentially exploitable crash of the browser
  • One cross-origin URL information leak vulnerability that could lead to data theft
  • Several flaws that could allow for domain spoofing attacks, and a number of other bugs of moderate and low impact.

The bug that could result in Tor Browser users’ IP address being leaked (Tor Browser is based on Firefox ESR) has not been patched in Firefox Quantum.

UPDATE:

As Gian-Carlo Pascutto, a mobile platform engineer at Mozilla, helpfully pointed out, the TorMoil “bug” is not something that adversely affects Firefox users, as Firefox does not aim to keep users’ IP address secret.

“The next ESR will be based on Firefox 59 I believe, we are trying to get a more proper/fundamental fix for the problem in that,” he added.