#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Firefox | Breaking Cybersecurity News | The Hacker News

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

May 26, 2022
The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information. "We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project  said  in an advisory issued this week. Tails, short for The Amnesic Incognito Live System, is a security-oriented Debian-based Linux distribution aimed at preserving privacy and anonymity by connecting to the internet through the Tor network. The alert comes as Mozilla on May 20, 2022 rolled out fixes for  two critical zero-day flaws  in its Firefox browser, a modified version of which acts as the foundation of the Tor Browser. Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are what's referred to as  prototype pollution  that could be weaponized to gain JavaScript c
Latest Firefox 95 Includes RLBox Sandboxing to Protect Browser from Malicious Code

Latest Firefox 95 Includes RLBox Sandboxing to Protect Browser from Malicious Code

Dec 07, 2021
Mozilla is beginning to roll out Firefox 95 with a new sandboxing technology called RLBox that prevents untrusted code and other security vulnerabilities from causing "accidental defects as well as supply-chain attacks." Dubbed " RLBox " and implemented in collaboration with researchers at the University of California San Diego and the University of Texas, the improved protection mechanism is designed to harden the web browser against potential weaknesses in off-the-shelf libraries used to render audio, video, fonts, images, and other content. To that end, Mozilla is incorporating "fine-grained sandboxing" into five modules, including its  Graphite  font rendering engine,  Hunspell  spell checker,  Ogg  multimedia container format,  Expat  XML parser, and  Woff2  web font compression format. The framework uses  WebAssembly , an open standard that defines a portable binary-code format for executable programs that can be run on modern web browsers, to i
How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

Feb 15, 2024SaaS Security / Risk Management
With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023.  Their study reveals  how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.  The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizat
Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software

Critical Bug in Mozilla's NSS Crypto Library Potentially Affects Several Other Software

Dec 02, 2021
Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services ( NSS ) cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code. Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a  heap overflow  vulnerability when verifying digital signatures such as  DSA  and  RSA-PSS  algorithms that are encoded using the  DER  binary format. Credited with reporting the issue is Tavis Ormandy of Google Project Zero, who codenamed it " BigSig ." "NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla  said  in an advisory published Wednesday. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted." NSS is a
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
Malicious Firefox Add-ons Block Browser From Downloading Security Updates

Malicious Firefox Add-ons Block Browser From Downloading Security Updates

Oct 26, 2021
Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content," Mozilla's Rachel Tublitz and Stuart Colville  said . Because Proxy API can be  used  to proxy web requests, an abuse of the API could enable a bad actor to control the manner Firefox browser connects to the internet effectively. In addition to blocking the extensions to prevent installation by other users, Mozilla said it's pausing on approvals for new add-ons that use the proxy API until the fixes are broadly available. What's more, the California-based non-profit said it'd deployed a system add-on named " Proxy Failover " that ships
Mozilla Begins Rolling Out 'Site Isolation' Security Feature to Firefox Browser

Mozilla Begins Rolling Out 'Site Isolation' Security Feature to Firefox Browser

May 19, 2021
Mozilla has begun rolling out a new security feature for its Firefox browser in nightly and beta channels that aims to protect users against a new class of side-channel attacks from malicious sites. Called "Site Isolation," the implementation loads each website separately in its own operating system process and, as a result, prevents untrusted code from a rogue website from accessing confidential information stored in other sites. "This fundamental redesign of Firefox's Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop," Mozilla  said  in a statement. "Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site's secret or private data." The motivation for Site Isolation can be traced all the way back to January 2018 when  Spectre and Meltdown vulnerabilities  were publicly dis
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

Feb 25, 2021
Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems. "Threat actors aligned with the Chinese Communist Party's state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users' Gmail accounts," Proofpoint said in an analysis. The Sunnyvale-based enterprise security company pinned the phishing operation on a Chinese advanced persistent threat (APT) it tracks as  TA413 , which has been previously attributed to attacks against the Tibetan diaspora by leveraging  COVID-themed lures  to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance. The researchers said the attacks were detected in January and February 2021, a pattern that has continued since March 2020. The infection chain begins with a phishing email impersonating the "Tib
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition

Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition

Nov 09, 2020
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in  Tianfu Cup 2020 , the third edition of the international cybersecurity contest held in the city of Chengdu, China. "Many mature and hard targets have been pwned on this year's contest," the event organizers  said . "11 out of 16 targets cracked with 23 successful demos." The hacking competition showed off hacking attempts against a  number of platforms , including: Adobe PDF Reader Apple iPhone 11 Pro running iOS 14 and Safari browser ASUS RT-AX86U router CentOS 8 Docker Community Edition Google Chrome Microsoft Windows 10 v2004 Mozilla Firefox Samsung Galaxy S20 running Android 10 TP-Link TL-WDR7660 router VMware ESXi hypervisor The Tianfu Cup, analogous to Pwn2Own, was started in 2018 following a  government regulation  in the country that barred security researchers from participating in internati
A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

Sep 19, 2020
Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store. ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android. Discovered originally by Australian security researcher Chris Moberly , the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed. SSDP, stands for Simple Service Discovery Protocol, is a UDP based protocol that is a part of UPnP for finding other devices on a network. In Android, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network, looking for second-screen devices to cast. Any device on the local netwo
Firefox enables DNS-over-HTTPS by default (with Cloudflare) for all U.S. users

Firefox enables DNS-over-HTTPS by default (with Cloudflare) for all U.S. users

Feb 25, 2020
If you use the Firefox web browser, here's an important update that you need to be aware of. Starting today, Mozilla is activating the DNS-over-HTTPS security feature by default for all Firefox users in the U.S. by automatically changing their DNS server configuration in the settings. That means, from now onwards, Firefox will send all your DNS queries to the Cloudflare DNS servers instead of the default DNS servers set by your operating system, router, or network provider. As you may know, DNS-over-HTTPS (DoH) protocol performs DNS lookups — i.e., finding the server I.P. address of a certain domain name — over an encrypted connection to a DNS server rather than sending queries in the plaintext. This privacy-focused technology makes it harder for man-in-the-middle attackers, including your ISPs, to manipulate DNS queries, eavesdrop on your Internet connection, or learning what sites you visit. "This helps hide your browsing history from attackers on the network,
Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now!

Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now!

Jan 09, 2020
Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems? If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla's website. Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild. Tracked as ' CVE-2019-17026 ,' the bug is a critical 'type confusion vulnerability' that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla's JavaScript engine SpiderMonkey. In general, a type confusion vulnerability occurs when the code doesn't verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution. Without revealing details about the security flaw and any det
Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

Dec 03, 2019
If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible. Avast Online Security AVG Online Security Avast SafePrice AVG SafePrice Why? Because these four widely installed browser extensions have been caught collecting a lot more data on its millions of users than they are intended to, including your detailed browsing history. Most of you might not even remember downloading and installing these extensions on your web browser, and that's likely because when users install Avast or AVG antivirus on their PCs, the software automatically installs their respective add-ons on the users' browsers. Both online security extensions have been designed to warn users when they visit a malicious or phishing website; whereas, SafePrice extensions help online shoppers learn about best offers, price comparisons, travel deals, and discount coupons from variou
Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

Oct 17, 2019
After enabling ' Site Isolation ' security feature in Chrome for desktops last year, Google has now finally introduced 'the extra line of defence' for Android smartphone users surfing the Internet over the Chrome web browser. In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser. Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites. Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains. The feature gained attention in January 2018,
Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

Oct 15, 2019
In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in "about: pages" that are the gateway to sensitive preferences, settings, and statics of the browser. Firefox browser has 45 such internal locally-hosted about pages , some of which are listed below that you might have noticed or used at some point: about:config — panel to modify Firefox preferences and critical settings. about:downloads — your recent downloads done within Firefox. about:memory — shows the memory usage of Firefox. about:newtab — the default new tab page. about:plugins — lists all your plugins as well as other useful information. about:privatebrowsing — open a new private window. about:networking — displays networking information. To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forwar
Mozilla Launches 'Firefox Private Network' VPN Service as a Browser Extension

Mozilla Launches 'Firefox Private Network' VPN Service as a Browser Extension

Sep 11, 2019
Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network , as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you. Firefox Private Network service is currently in beta and available only to desktop users in the United States as part of Mozilla's recently expunged "Firefox Test Pilot" program that lets users try out new experimental features before they were officially released. The Firefox Test Pilot program was first launched by the company three years ago but was shut down in January this year. The company now decided to bring the program back but with some changes. "The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release," said Marissa Wood, vice president of product at Mozilla. Firefox
Firefox 69 Now Blocks 3rd-Party Tracking Cookies and Cryptominers By Default

Firefox 69 Now Blocks 3rd-Party Tracking Cookies and Cryptominers By Default

Sep 04, 2019
Mozilla has finally enabled the "Enhanced Tracking Protection" feature for all of its web browser users worldwide by default with the official launch of Firefox 69 for Windows, Mac, Linux, and Android. The company enabled the " Enhanced Tracking Protection " setting by default for its browser in June this year, but only for new users who downloaded and installed a fresh copy of Firefox. Remaining users were left with options to either enable the feature manually or wait for the company to activate it for all users. Now, the wait is over. With Firefox 69, Enhanced Tracking Protection will automatically be turned on by default for all users as part of the "Standard" setting in the Firefox browser, blocking known "third-party tracking cookies" and web-based cryptocurrency mining scripts. Firefox 69 By Default Blocks Known Third-Party Tracking Cookies Cookies are created by a web browser when a user loads a specific website, which helps
17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device

17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device

Jul 03, 2019
Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer. Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser. The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the "file://" scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders. Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same
Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

Jul 02, 2019
Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections. Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser. To achieve this, security software replaces websites' TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs). Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox. In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their an
Firefox 67.0.4 Released — Mozilla Patches Second 0-Day Flaw This Week

Firefox 67.0.4 Released — Mozilla Patches Second 0-Day Flaw This Week

Jun 21, 2019
Okay, folks, it's time to update your Firefox web browser once again—yes, for the second time this week. After patching a critical actively-exploited vulnerability in Firefox 67.0.3 earlier this week, Mozilla is now warning millions of its users about a second zero-day vulnerability that attackers have been found exploiting in the wild. The newly patched issue ( CVE-2019-11708 ) is a "sandbox escape" vulnerability, which if chained together with the previously patched "type confusion" bug ( CVE-2019-11707 ), allows a remote attacker to execute arbitrary code on victims' computers just by convincing them into visiting a malicious website. Browser sandboxing is a security mechanism that keeps third-party processes isolated and confined to the browser, preventing them from damaging other sensitive parts of a computer's operating system. "Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent proc
Tor Browser 8.5.2 Released — Update to Fix Critical Firefox Vulnerability

Tor Browser 8.5.2 Released — Update to Fix Critical Firefox Vulnerability

Jun 20, 2019
Important Update (21 June 2019) ➤  The Tor Project on Friday released second update ( Tor Browser 8.5.3 ) for its privacy web-browser that patches the another Firefox zero-day vulnerability patched this week. Following the latest critical update for Firefox, the Tor Project today released an updated version of its anonymity and privacy browser to patch the same Firefox vulnerability in its bundle. Earlier this week, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical actively-exploited vulnerability ( CVE-2019-11707 ) that could allow attackers to remotely take full control over systems running the vulnerable browser versions. Besides updating Firefox, the latest Tor Browser 8.5.2 for desktops also includes updated NoScript version 10.6.3 that fixes a few known issues. According to the Tor Project Team, if you are already using Tor browser with "safer" and "safest" security levels, the flaw doesn't affect you. For som
Firefox Web Browser Now Blocks Third-Party Tracking Cookies By Default

Firefox Web Browser Now Blocks Third-Party Tracking Cookies By Default

Jun 04, 2019
As promised, Mozilla has finally enabled "Enhanced Tracking Protection" feature on its Firefox browser by default, which from now onwards would automatically block all third-party tracking cookies that allow advertisers and websites to track you across the web. Tracking cookies, also known as third-party cookies, allows advertisers to monitor your online behavior and interests, using which they display relevant advertisements, content, and promotions on the websites you visit. Which makes sense as no one likes to waste time in watching advertisements and offers that are not of one's interest. However, since tracking cookies gather way more information without requiring users' explicit permissions and there is no control over how companies would use it, the technique also poses a massive threat to users' online privacy. To limit this extensive tracking, Mozilla included the "Enhanced Tracking Protection" option as an experimental feature in Octo
Cybersecurity Resources