파이어폭스 133 보안 업데이트 및 반송 추적 보호 및 기타 향상된 기능이 포함
모질라 재단에서 제공을 하는 브라우저인 파이어폭스 브라우저에 대한 보안 업데이트 및 반송 추적 보호 및 기타 향상된 기능이 포함된 업데이트가 진행이 되었습니다.
반송 추적 방지 및 보안 수정을 포함하여 몇 가지 주요 개선 사항이 포함
일부 광고주 및 데이터 브로커는 추적을 위해 리디렉션을 사용합니다. 이 프로세스는 매우 빠르게 진행되므로 사용자에게는 보이지 않음
핵심 아이디어는 간단합니다. 링크를 클릭하면 대상이 열리기 전에 먼저 추적 서버가 열릴 것이고 반송 추적 보호 기능은 정기적으로 쿠키와 사이트 데이터를 삭제하여 이를 차단하는 것이 목적
해당 기능은 Firefox에서 향상된 추적 방지 기능을 엄격으로 설정한 사용자에게만 활성화 기본 값이 아닙니다.
쿠키와 사이트 데이터를 삭제해야만 반송 추적기에 반응하는 것으로 보이는 Mozilla의 솔루션과 달리 Brave의 솔루션은 여러 가지 방법으로 반송 추적을 공격합니다.
브라우저는 차단된 알려진 바운스 추적기 목록을 사용
또한, 반송 추적이 의심되는 경우 사용자에게 경고하지만 추적기 및 광고를 적극적으로 차단하는 경우에만 해당합니다.
기타 변경 사항 및 수정 사항
탭 개요 메뉴에는 다른 장치의 탭을 볼 수 있는 새 항목이 포함 있음
윈도우 사용자는 GPU 가속 Canvas2D의 이점을 누릴 수 있음
Windows용 Firefox의 성능이 향상될 것입니다.
Picture-in-Picture 모드의 자동 열기 기능이 더욱 안정적으로 작동
기본적으로 비활성화되어 있으며 Firefox Labs에서 활성화해야 합니다.
보안 취약점 패치
CVE-2024-11691: Out-of-bounds write in Apple GPU drivers via WebGL
Description
Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver.
This bug only affected the application on Apple M series hardware. Other platforms were unaffected.
CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation on Android
Description
Malicious websites may have been able to user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities.
CVE-2024-11692: Select list elements could be shown over another site
Description
An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks.
CVE-2024-11701: Misleading Address Bar State During Navigation Interruption
Description
The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks.
CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing Mode on Android
Description
Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled.
CVE-2024-11693: Download Protections were bypassed by .library-ms files on Windows
Description
The executable file warning was not presented when downloading .library-ms files.
Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
Description
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content.
CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
Description
A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack.
CVE-2024-11696: Unhandled Exception in Add-on Signature Verification
Description
The application failed to account for exceptions thrown by the loadManifestFromFile method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue.
CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog
Description
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution.
CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
Description
A double-free issue could have occurred in sec_pkcs7_decoder_start_decrypt() when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption.
CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
Description
A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click menus, resulting in a disrupted browsing experience until the browser is restarted.
This bug only affects the application when running on macOS. Other operating systems are unaffected.
CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
Description
NSC_DeriveKey inadvertently assumed that the phKey parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows phKey to be NULL for certain mechanisms.
CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
Description
A null pointer dereference may have inadvertently occurred in pk12util, and specifically in the SEC_ASN1DecodeItem_Util function, when handling malformed or improperly formatted input files.
CVE-2024-11708: Data race with PlaybackParams
Description
Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure.
CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5
Description
Memory safety bugs present in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
아무튼, 해당 파이어폭스가 업데이트 되면 토르 브라우저도 영향이 받으므로 해당 브라우저들을 사용하시는 분들은 보안 업데이트를 하시면 될 것입니다.