Firefox and Thunderbird: functional improvements and security fixes
The new versions of Firefox 126 and Thunderbird 115.11 close security gaps. They also include improved functions.
Security gaps in Firefox put users at risk.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The Mozilla Foundation has released version 126 of the Firefox web browser, version 115.11 of Firefox ESR with long-term support and version 115.11 of Thunderbird, the mail client based on Firefox. The programmers have plugged some high-risk security leaks in all programs. However, new and improved functions have also been introduced.
According to the release notes, the developers have improved the "Copy link without website tracking" option in Firefox, among other things. It can now also remove parameters from nested URLs. The programmers have also extended support to more than 300 tracking parameters, for example from shopping sites. Firefox now also speaks zstd as a compression algorithm. This is an alternative to Broti and gzip, which achieves less processor load with the same compression rate or higher compression rates with the same CPU usage. Mac users with Apple Silicon M3 can look forward to AV1 hardware acceleration during decoding.
Firefox: Security corrections
Those who value privacy should use a different default search engine such as DuckDuckGo, as the developers now collect telemetry data for around 20 search categories - such as "sport", "business" or "travel". The data is collected without being assigned to users and via OHTTP in order to remove IP addresses as potentially identifiable data. The data should also not be shared with third-party providers.
The new version also plugs security gaps: if there are several active WebRTC threads, they could simultaneously attempt to request a newly connected audio device, resulting in a use-after-free gap. This means that resources already released by the program code are accessed again, but the memory contents are no longer defined. Attackers can often abuse such gaps to inject and execute malicious code (CVE-2024-4764, no CVSS value,"high" risk according to developers). A missing type check for fonts in PDF.js can lead to the execution of arbitrary JavaScript code (CVE-2024-4367, no CVSS value,"high"). The Firefox 126 security advisory lists nine other vulnerabilities of medium threat level in older Firefox versions, as well as five vulnerabilities classified as low risk.
Updates in Thunderbird and Firefox ESR 115.11
The high-risk vulnerability in the type checking of fonts in PDF.js also affects Firefox ESR and Thunderbird 115.11, whose security bulletins list the identical vulnerabilities. Five further security vulnerabilities with medium severity seal the new versions.
The release notes for Thunderbird 115. 11 are extremely short. The separator between the task list and the task description, which can be moved with the mouse, did not behave as expected. In addition, the rows for the participants of a calendar event were the wrong size.
Version check
The version dialog can be used to find out whether the updated software versions with the security corrections are already running. The dialog can be accessed via the browser menu, which is located to the right of the address bar after clicking on the symbol with the three superimposed lines. It opens under "Help" - "About Firefox" or "About Thunderbird".
(Image: Screenshot / dmk)
If an update is available, this also triggers the update process. At the end, the dialog also requests the necessary restart to activate the new software version. Under Linux, the distribution's software management is usually responsible for this.
About a month ago, the Mozilla developers released version 125 of the Firefox web browser. In it, the developers closed 15 security gaps. The update also included extended and improved functions.
(dmk)