Mozilla this week shipped Firefox 76 with enhanced password protections that include warnings of sites reportedly victimized by criminals as well as alerts if users rely on passwords known to have been leaked in breaches of other sites or services.
Engineers also patched 11 vulnerabilities, three labeled “Critical,” Firefox’s most-serious label, and another trio marked “High,” the next level down. One of the critical flaws was reported by noted researcher James Forshaw of Google’s Project Zero, and affected only the Windows version of the browser.
“The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape,” Mozilla said in the accompanying advisory.
Firefox 76 can be downloaded for Windows, macOS and Linux from Mozilla’s site. Because Firefox updates in the background, most users can simply relaunch the browser to get the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page shows that the browser is either up to date or describes the refresh process.
Mozilla now upgrades Firefox every four weeks, a significantly faster tempo than Google’s Chrome or Microsoft’s Edge. Mozilla last upgraded the browser on April 7.
Breach, reuse warnings now flash in password manager
The notable enhancements to Firefox 76 took place within its password manager, dubbed Lockwise, an area of emphasis for Mozilla in the past.
“There’s no doubt that during the last couple of weeks you’ve been signing up for new online services like streaming movies and shows, ordering takeout or getting produce delivered to your home,” Mozilla said in a post to a May 5 company blog. “All of those new accounts need unique, strong passwords to be secure, which you can now generate, manage and protect more easily.”
One change now requires a user to enter a Firefox master password – one that locks all stored passwords – or OS log-in credential to view those saved passwords in plain text. (Previously, the only way to keep nosy neighbors from looking over a shoulder to spy out a password was with a Firefox master password – but that had disadvantages of its own, particularly the browser demanding it once a session in order to access the usernames and passwords for entry into site forms.)
Another new aspect of the integrated manager: An alert appears in the sites’ credentials list when a password has been revealed in a breach. (Mozilla relies on the Have I Been Pwned? site and service for breach information.) The idea here is to prompt users to change those disclosed passwords, both on the appropriate sites and in the browser’s manager.
(Since November 2018, Firefox has displayed in-the-browser notifications when a user steered toward a site that had been breached.)
Firefox now notifies users when they’ve reused a password already on the looks-like-that-one-leaked list, too; again, as a prompt to not do something that stupid. Mozilla doesn’t actually “see” such passwords as they’re entered or receive them in any form of plain text. Instead, Firefox builds an encrypted list of the breached passwords, then checks that against all saved passwords.
Mozilla also tweaked the video picture-in-picture feature that debuted in Firefox 71 (Windows) and 72 (macOS, Linux). Picture-in-picture lets users separate video from a web page and place it within a separate, small window, where it remains viewable whether the active tab is switched or even if Firefox stays open in the background. In Firefox 76, a double-click expands the picture-in-picture frame to full-screen, while a second double-click restores it to its original, smaller size.
The next Mozilla upgrade, Firefox 77, will be released June 2.