Mozilla Fixes 32 Security Flaws, Accelerates Performance In Firefox 58

Mozilla released its first web browser update for 2018 on Jan. 23 with the debut of Firefox 58. The new release includes features designed to accelerate performance as well as patches for 32 security vulnerabilities.

Firefox 58 is the second major release in the Quantum series, which became generally available in November 2017 with Firefox 57. A core element of the Firefox Quantum browser series is performance, and that has been improved even more in Firefox 58, thanks to a capability called Off-Main-Thread-Painting (OMTP).

“Off-Main-Thread-Painting is an incremental improvement to the way Firefox has long handled graphics and is an evolution of Firefox’s C++ codebase,” Mozilla spokesperson Justin O’Kelly told eWEEK.

Mozilla Firefox 58

ccording to Mozilla, OMTP can improve the graphics frame rate for Firefox by as much as 30 percent. OMTP builds on other optimizations that Mozilla has already included in Firefox as part of Quantum to accelerate web graphics rendering performance.

In addition to performance, Mozilla is using Firefox 58 as an opportunity to remind users about the Tracking Protection feature that debuted in Firefox 57. With Tracking Protection, users can block tracking, including cookies and unwanted advertisements. The feature, however, is an opt-in feature and to date not many users have opted in.

“Tracking Protection is an optional user feature because the occasional site may not work properly when enabled,” O’Kelly said. “So far, a small percentage of Firefox users have set Tracking Protection to ‘always on.’ We expect usage to increase as awareness builds.”

Security Fixes

Although Mozilla tends to group its security updates together as part of major milestone releases, it will also issue incremental updates for urgent issues. That was the case with the high-profile Spectre CPU side-channel attack that impacts Intel and other processor vendors. Mozilla patched for Spectre issues as part of the incremental Firefox 57.0.3 update that was released on Jan. 4.

In Firefox 58, Mozilla patched 32 new security vulnerabilities, three of which are rated as having critical impact. Among the critical issues are a pair of memory safety issues identified as CVE-2018-5090 and CVE-2018-5089.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla warned in its advisory.

The third critical issue patched in Firefox 58 is a use-after-free (UAF) memory vulnerability with DTMF (dual-tone multi-frequency signaling) timers that are used in WebRTC (Real Time Communications) connections.

Among the other interesting issues patched in Firefox 58 is a moderate impact bug identified as CVE-2018-5115 involving background network requests.

“If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page,” Mozilla warns in an advisory. “Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the authentication request and may cause users to mistakenly send private credential information to a third party site.”

Originally published on eWeek