Firefox 126 Released with Various Security Fixes
Firefox 126 was released on May 14, 2024, introducing various new features and improvements. This update also fixed 16 security vulnerabilities that posed risks such as arbitrary code execution and clickjacking.
One of the key highlights of Firefox 126 is support for zstd (Zstandard) compression for web content. This can potentially lead to faster loading times for websites. Additionally, users with M3 Macs running macOS will benefit from AV1 hardware decode acceleration. This can improve playback performance for videos encoded in the AV1 format.
Vulnerabilities Addressed in Firefox 126
CVE-2024-4764
Discovered by Jan-Ivar Bruaroey, this vulnerability involves improper memory management when audio input is connected with multiple consumers. Exploiting this could result in a denial of service or arbitrary code execution.
CVE-2024-4367
Thomas Rinsma identified that a type check was missing when handling fonts in PDF.js. This flaw could be exploited to execute arbitrary JavaScript code in the PDF.js context.
CVE-2024-4770
Irvan Kurniawan discovered an issue with how certain font styles are handled when saving a page to PDF. This vulnerability could potentially cause a crash when saving a web page as a PDF if the page uses certain font styles.
Furthermore, several vulnerabilities were identified that could allow an attacker to exploit specially crafted websites, leading to denial of service, sensitive information disclosure across domains, or arbitrary code execution. These issues are tracked under various CVEs:
CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, and CVE-2024-4778.
Ubuntu and Debian Firefox Security Updates
The Ubuntu and Debian security team have made Firefox 126 updates available in their respective releases, including Ubuntu 20.04 LTS, Debian 11, and Debian 12.
To upgrade Firefox on Ubuntu or Debian, you can use the following commands:
For Ubuntu:
$ sudo apt update
$ sudo apt upgrade firefox
For Debian:
$ sudo apt update
$ sudo apt upgrade firefox-esr
Conclusion
Given the critical nature of the vulnerabilities addressed in Firefox 126, it is strongly recommended that users their Firefox packages immediately. This update not only fixes the aforementioned security issues but also enhances overall browser stability and performance.
The above vulnerabilities also affect Thunderbird versions before 115.11. So, updating them to the latest version is also crucial. Thunderbird package updates are already available in Ubuntu and Debian.
Source: Mozilla Foundation Security Advisory