You were already protected from this bug (and many more), if you have been using NoScript all along.
It's like this nonsense of saying users need to run anti-virus on their TV sets. Why in god's name do I need, or want, a TV that can run programs in the first place? I can happily plug programmable devices into my set via HDMI, and I can happily choose not to, as well.
But *need* it? No - you don't need it. Not even amazon needs it. Enter name, press search. You might not get the menu of items similar to what you'd typed in so far, but frankly, that's so rarely useful for me, I could live without it (and probably it would make the site faster as it's not sending messages to the server every keystroke...)
This is a bad thing.
I do love the understatement of Reg articles :-) ... keep it coming guys, I've got a pile of replacement keyboards to go with my morning coffee.
This post has been deleted by a moderator
"For comment, we've brought in a noted IT security expert with a PhD in Compsci and 25 years of experience in the field to argue in favour, and a plumber called Tom who can't turn on his laptop without help from his grandchildren to argue against. We're going to give them both equal airtime and treat their opinions as equally valid on the topic."
Here's an idea - why doesn't Mozilla offer security fixes separately from new versions of the browser? I'm getting tired of having to install a new version because some critical bug has been discovered, only to find a whole new set of pointless features (like Pocket) that I'm never going to use have been added. Or worse, you find that some feature you actually use has been "deprecated" because the developers decided they can't be arsed to support it any more (live bookmarks, anyone?)
Or here's another idea - why don't developers actually ask the users what they want instead of just rolling out new features then complaining when the users express dissatisfaction with their precious ideas?
Sorry, rant over.....
I must have disabled the auto-update as I use a few quality of life addons that always seem to break when I upgrade
Once it was Adblock....
So I get a nag box instead, though to be fair it nags once per session.
The complaint here, I believe, isn't that it updates a lot - it does, but that's vigilance for you - it is that extra "features" seem to sneak their way into what nominally should be a security patch.
> why doesn't Mozilla offer security fixes separately from new versions of the browser
They do. They offer an ESR version that only gets security and bug fixes, and a normal version that gets new features and fixes.
Note that providing security fixes to N different versions of the browser takes about N times as much engineering effort as just supporting a single version. So Mozilla chose N = 2 - you get the ESR version and the normal version. Providing security fixes for the last 20 versions of the browser would be far too much effort for not enough benefit.
https://linuxhint.com/getting_latest_version_firefox_linux_mint/ suggests getting the Snap version, or, and I think you won't want to do this, an "unofficial" "flatpack" download which comes as "developer" or "nightly" edition, which I think means respectively "prominent new bugs" and "extraordinary new bugs".
Having said that, I am looking (in Microsoft Internet Explorer) at the release-channel appearance of version 67.0.4 for some reason, at https://www.mozilla.org/en-US/firefox/67.0.4/releasenotes/
Yup, https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ says that we now need, or anyway want, version 67.0.4, or ESR 60.7.2.
Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.
HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.
On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.
Open-source cross-platform email and messaging client Thunderbird has hit version 102, with a new look and improved functionality, including Matrix chat support.
The latest release is the first major upgrade since version 91, which The Reg looked at last August. This is normal for the app – it follows the same approximately annual release cycle as Firefox's Extended Support Releases, the most recent of which was also version 91. From now until the next major release, Thunderbird 102 will get a regular stream of minor updates and bug fixes.
102 has a modernized look and feel. There's a new "Spaces" toolbar, which appears vertically on the left of the app window and lets users quickly flip between inbox, address book, calendar, task list, and chat tabs. All of these are built-in features – the former Lightning calendar add-on is now an integral part of the app, as is PGP support, which used to be an add-on called Enigmail. Thunderbird can talk to various groupware calendar and contact servers, including both private and corporate Google Mail accounts, Microsoft Exchange and Office 365, and others.
Interestingly, despite TypeScript's popularity in the usage stakes, affection for the technology dropped. Rust continued its run as the most loved language (87 percent of developers wanted to continue using it) but TypeScript slipped from third to fourth in the fondness stakes as Elixir leapt into second place from fourth in 2021.
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Mozilla on Wednesday launched a Developer Preview program to solicit feedback on Firefox extensions that implement Manifest v3, a Google-backed revision of browser extension architecture.
Mozilla last year said it intended to support MV3 in Firefox extensions, though with some differences. Its implementation of the WebExtensions API in Firefox has now incorporated enough of MV3 plumbing that developers can set the appropriate browser flags and experiment with MV3 extensions in Firefox v101, now in beta and due for release at the end of May.
Google Chrome is expected to stop supporting extensions created under the old MV2 specification in about a year, June 2023. And given Chrome's share of the browser market – about 64 per cent currently – extension developers will want to have updated their code by then and to have accounted for how MV3 works – or doesn't – in different browsers.
An investigation by analysts at Sucuri into malware found on WordPress installations revealed a much larger and ongoing campaign that last month, we're told, hijacked more than 6,600 websites. The team has seen a spike in complaints this month related to the intrusions, according to analyst Krasimir Konov.
The tool is named "Cooper" – a reference to the "Cooperative mutation" technique employed by the tool.
The Mozilla Foundation has released version 100 of its flagship web browser Firefox.
There's no link in the above paragraph because, strangely, at the time of writing, the new browser is not officially mentioned anywhere on Mozilla's website. However, you can download it from Mozilla: it's already on the foundation's FTP site. You can choose between versions for macOS, and both 32-bit and 64-bit Windows and Linux.
If you're not into the flat look of recent versions of Windows, it will run on Windows 7 too, but you will need to install the official Microsoft update KB4474419 first. (Yes, Mozilla's support site does concede that the new version exists.)
Apple last week patched two actively exploited vulnerabilities in macOS Monterey yet has left users of older supported versions of its desktop operating system unprotected.
In a blog post on Tuesday, security biz Intego said fixes applied to address CVE-2022-22675 (AppleAVD bug) and CVE-2022-22674 (Intel Graphics Driver bug) in macOS Monterey were not backported to macOS Big Sur or macOS Catalina.
The AppleAVD issue is unpatched for macOS Big Sur, said Joshua Long, chief security analyst for Intego, while Catalina isn't affected because it lacks the AppleAVD component for decoding audio and video. The Intel Graphics Driver flaw, he said, looks like it affects both Big Sur and Catalina.
Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.
Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.
"This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.
Biting the hand that feeds IT © 1998–2022