Mozilla has released its latest Firefox browser iteration, Firefox 69, which by default blocks third-party cookies and cryptominers; it also disables default support for Adobe Flash Player. In addition, the browser has squashed several critical and high-severity vulnerabilities.
Mozilla has long been saying it would amp up its efforts around blocking tracking cookies, and now with the release of Firefox 69 for Windows, Mac, Linux and Android available, consumers can access those capabilities through a new default feature called Enhanced Tracking Protection.
“Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior across websites — often without your knowledge or consent,” said Marissa Wood with Mozilla on Tuesday. “Those profiles and the information they contain may then be sold and used for purposes you never knew or intended.”
Firefox users can see if Enhanced Tracking Protection is working when they visit a website and see a purple shield icon on their address bar. To see which companies Mozilla blocks, Firefox users can also click on that icon, go to the Content Blocking section, then click Cookies, where they can see Blocking Tracking Cookies.
The feature also blocks cryptominers, which can access users’ CPUs and drain battery power to generate cryptocurrency, as well as fingerprinting scripts, which harvest a snapshot of computer configuration when users visit a website.
“To get protection from fingerprinting scripts Firefox users can turn on ‘Strict Mode,'” said Wood. “In a future release, we plan to turn fingerprinting protections on by default.”
Critical and High-Severity Fixes
Firefox 69 also comes with an array of patches, which address one critical and eight high-severity vulnerabilities.
The critical vulnerability (CVE-2019-11751) enables malicious code execution through command line parameters for Firefox browsers on Windows OS. The issue exists because “logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application,” according to Mozilla. It said: “This can be used to write a log file to an arbitrary location such as the Windows ‘Startup’ folder.”
The flaw was reported by Ping Fan (Zetta) Ke of VXRL, working with iDefense Labs.
Other high-severity flaws that were fixed include a use-after-free vulnerability (CVE-2019-11746) that could result in a “potentially exploitable crash;” a same-origin policy violation that could allow data theft (CVE-2019-11742); and a flaw allowing file manipulation and privilege escalation in Mozilla Maintenance Service (CVE-2019-11736).
Adobe Flash Support Knocked Down
Firefox 69 also has disabled default support for the Adobe Flash Player plugin (similar to Google’s Chrome 76).
The disabled default support means that Firefox users will now be required to manually enable Adobe Flash in Mozilla’s latest browser version, Firefox 69. More importantly, the change signals another step toward the end of Flash in general, as Mozilla and other popular browsers push the plugin off the radar.
“Per our Flash (plugin) deprecation roadmap, we’ll disable Flash by default in Nightly 69 and let that roll out,” said Jim Mathies, senior engineering manager at Mozilla, in a Bugzilla update in January.
The news follows Adobe’s announcement in July 2017 that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of 2020. Thus, it will “encourage content creators to migrate any existing Flash content to these new open formats.”
Adobe’s announcement of the end-of-life for Flash spurred tech giants across the industry – like Mozilla, Microsoft and Google– to develop their own road maps on how they would phase Flash out of their own browsers.
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to listen to the recorded webinar.