Mozilla on Tuesday shipped Firefox 74. Wait, didn’t we just get a new Firefox a minute or two ago?
It may feel that way. Firefox 74 arrived just four weeks after its predecessor, continuing the faster release cadence promised last year.
The refreshed browser dropped support for the now-obsolete TLS 1.0 and 1.1 cryptographic protocols, blocked all add-on “side-loading” except that allowed by enterprise-managed group policy, and enabled support for a header element designed to safeguard against attacks based on the Meltdown and Spectre hardware-based vulnerabilities first revealed two years ago.
Mozilla’s security engineers also patched a dozen vulnerabilities, half of them labeled “High,” Mozilla’s second-most-serious threat label. As usual, some of the flaws might be used by criminals.
“We presume that with enough effort some of these could have been exploited to run arbitrary code,” the firm wrote of two of the bugs. Two others were discovered and reported by members of Google Project Zero, the search company’s team of researchers who root out unpatched flaws in Google and non-Google software.
Firefox 74 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
This was the first version of Firefox to be released four weeks after its predecessor — Mozilla last upgraded the browser on Feb. 11. In September 2019, the company announced it would pick up the development and release pace by shortening the interval between upgrades from six weeks to first five, then to four.
Say farewell to TLS 1.0, 1.1
As expected, Firefox 74 pulled the plug on the outdated encryption protocols of TLS (Transport Layer Security) 1.0 and 1.1. When users try to connect to a site secured with either TLS version, Firefox now shows a “Secure Connection Failed” error page.
But as when Mozilla delivered Firefox 73, this month’s upgrade included an override button letting users temporarily enable TLS 1.0 and 1.1. That button will remain “for a couple of release cycles,” said Chris Mills, content team manager at the Mozilla Developer Network, in a March 10 post to a company blog. “You won’t be able to rely on it for too long,” Mills also warned. (A “couple of release cycles” might mean through, say, Firefox 76, which will be supplanted by the next version on June 2.)
Note: The deprecation of TLS 1.0/1.1 was the result of a 2018 joint decision by makers of the four biggest browsers (including Apple, Safari; Google, Chrome; and Microsoft, Edge and Internet Explorer).
Firefox 74 also put a stop to sideloading, the term describing how a third-party application installs an associated add-on in Firefox. (One example from times past was the “Web Clipper” add-on that Evernote installed in browsers, including Firefox.) Sideloading has been, if not banned outright, certainly frowned upon by browser makers, who have cited security concerns regarding the practice.
In October 2019, Mozilla said that it would ban sideloading, noting malware opportunities as well as the lack of user control; sideloaded add-ons were installed without user approval and could not be deleted by the normal method of heading to Firefox’s Add-ons Manager portal. At the time, Mozilla targeted Firefox 74 as the version that would drop support for sideloading.
Users must now take an explicit action to install a sideloaded add-on in Firefox — blocking the hands-off kind of installs sideloading was known for — and can delete them from the Add-Ons Manager. Add-ons that were sideloaded previously won’t be removed by Mozilla (that’s for users to do if they wish), but no new sideloaded browser add-ons will be permitted from Firefox 74 forward.
As is almost always the case with Firefox, this change-up can itself be stymied in the enterprise if IT deploys the appropriate group policies to employees’ copies of the browser.
More information on Firefox 74’s stance on sideloading can be found in this Mozilla post of March 10.
Enhances security, privacy
Mozilla enabled support for the “Cross-Origin Resource Policy” (CORP) header, which can be used by site developers to opt in to protection against cross-origin requests, or those from outside the domain of the website itself.
Using CORP can help safeguard against attacks by the likes of Spectre and Meltdown, the side-channel, hardware-based vulnerabilities that went public in early 2018 and triggered major efforts by browser makers, OS developers and chip company Intel to provide patches.
Firefox 74 also took the time to trumpet the Mozilla-made Facebook Container, an add-on that locks the social network and a user’s interactions with it inside a separate container, or sections of the browser’s memory. Anything done inside the container cannot be tracked outside the container; the result is that Facebook then cannot track one of its users when she goes elsewhere on the web.
Facebook Container is not new: Mozilla launched it almost two years ago. (The latest version now lets users add custom sites to a list so that Facebook’s credentials can be used for logging on to those websites.) Rather, once Firefox 74 has been installed — or Firefox was upgraded to version 74 — Mozilla uses the opportunity to pitch the add-on.
Firefox Container can also be installed from here.
The next version, Firefox 75, is to launch on April 7.