It is a confusing time in browser-land as Google and Mozilla have updated their web browsers multiple times over the last few days to roll back certain features and to fix multiple high-severity vulnerabilities. It's a lot of updates in a very short period of time, and it's important to try to keep on top of them.
Chrome Updates
The latest for Chrome: After initially pausing all work on Chrome 81 last month to focus on stabilizing version 80, Google’s Chrome team promoted Chrome 81 in to the stable channel this week. This version included 32 security fixes—and three of the vulnerabilities fixed are rated high-risk. The most severe is a use-after-free vulnerability in extensions (CVE-2020-6454), Two other high-risk flaws were use-after-free in audio (CVE-2020-6243) and an out-of-bounds read in WebSQL (CVE-2020-6455).
Earlier last week, the Chrome team updated version 80 to address three high-severity vulnerabilities. Chrome 80.0.3987.162 addressed two use-after-free flaws in WebAudio and one heap buffer overflow in media.
Somewhere in between these two versions, Google started rolling back a security feature it had introduced in Chrome 80 back in early February. The cross-site request forgery (CSRF) protection is part of Chrome’s effort to change how the browser handles third-party cookies. The feature checks the cookie’s SameSite value and makes only cookies set as SameSite=None; Secure available in third-party contexts, but only over secure connections. The feature has been rolled out gradually since February, with Google contacting individual websites and services to ensure cookies are being labelled correctly. Since many website owners may encounter some obstacles to getting the changes made by their developers at this time, Google decided to suspend enforcement for the SameSite cookie labelling.
“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” Justin Schuh, director of Chrome Engineering, posted on the Chromium blog. Enforcement will likely resume over the summer.
Latest for Firefox
Over on the Firefox side, Mozilla pushed Firefox 75 to the stable channel, with six security patches for the desktop version of the web browser and two for vulnerabilities specific to the Android version.
Two of the high-severity vulnerabilities (CVE-2020-6825 and CVE-2020-6826) addressed in Firefox 75 could lead to arbitrary code execution. One of the high-risk vulnerabilities in Firefox for Adnroid (CVE-2020-6828) could also lead to arbitrary code execution. The other high-risk bug in the desktop version could be exploited to leak sensitive data (CVE-2020-6821) and the other high-risk flaw in the mobile browser could be exploited into displaying the incorrect URI (CVE-2020-6827).
Just a few days earlier, Mozilla had released version 74.01 of Firefox. The emergency update fixed two critical vulnerabilities (CVE-2020-6819 and CVE-2020-6820) which were being exploited in targeted attacks. In both cases, a race condition (a situation after performing multiple operations simultaneously or out of sequence) could result in use-after-free errors—which could result in remote code execution. The fixes are also in the enterprise version, Firefox Extended Support Release (ESR) 68.6.1.
“An attacker could exploit these vulnerabilities to take control of an affected system,” the advisory from the United States Cybersecurity and Infrastructure Security Agency (CISA) said, regarding the Firefox update.
Backwards Compatibility
Firefox 75 focused on maintaining backward-compatibility so that the changes don't make it difficult for users to access important websites, such as government services and video-conferencing platforms. For example, Firefox 75 was supposed to make Datagram Transport Layer Security (DTLS) 1.2 the default minimum version in WebRTC. The plan was to force sites using the older DTLS protocol to upgrade, but Mozilla decided to keep DTLS 1.0 support because Jitsi, an open-source video-conferencing system, didn't support version 1.2.
Google was supposed to drop DTLS 1.0 in Chrome 82, but that version has been cancelled. It isn't known when Google will finally drop support for DTLS 1.0 in Chrome at this point, but the discussion on the WebRTC page indicates several video-conferencing platforms still use DTLS 1.0.
Mozilla also reversed itself with Firefox 74.0, which had been released in early March. Mozilla, along with other browser giants, had pledged back in 2018 to remove support of Transport Layer Security (TLS) versions 1.0 and 1.1 from their web browsers. Site administrators had been advised to transition to using TLS 1.2 or TLS 1.3 for their sites so that users would still be able to reach those sites. Firefox 74 was the first browser where support for these old and insecure versions of the protocol had been removed.
However, there were enough organizations that had not made the transition, so Mozilla reversed its decision and put support for the protocols back into Firefox 74.
“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” Mozilla wrote in an update to its release notes for Firefox 74.
Google has delayed its plans to remove support for both TLS 1.0 and 1.1 protocols, as well. It is now scheduled for Chrome 84.
For most users, the frequent pace of updates should be pretty seamless thanks to automatic updates. At the most, they may be reminded to restart the browsers to have the updates complete install. It’s important not to delay the updates, especially since web browsers are increasingly the first thing attackers target.