published an unexpected patch this week, bumping Firefox up to version 57.0.3.

(You probably weren’t expecting a update between Christmas and New Year, but it’s good to know that security fixes don’t take second place in holiday season.)

Officially numbered Bug 1427111, the good news is that this wasn’t a vulnerability that gave crooks the ability to launch an attack, implant malware, or rootle around for personal on your hard disk.

It was, however, an ironic : if Firefox hit a and crashed, it could then hit another and upload crash data even if you’d told it not to.

Technically, this counts as data , but because the data was sent directly from your browser to Mozilla’s servers, rather than to somewhere unknown or unpredicatable, we’ll accept that the risk was modest:

browser data leakage bug – mozilla to delete info just in case – naked security - ff bug 632 - Browser data leakage bug – Mozilla to delete info just in case – Naked Security

Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in

As bugs go, this one doesn’t sound terribly serious – not least because many users have Mozilla’s crash reporting turned on anyway, as a way of helping the development team.

You can check your own settings on the about:preferences#privacy page, in the section about data collection:

browser data leakage bug – mozilla to delete info just in case – naked security - ff collection 6301 - Browser data leakage bug – Mozilla to delete info just in case – Naked Security

However, as Mozilla notes, there is a small risk of personal data escaping in a crash report, not least because the information uploaded comes from the memory space of a program that has already misbehaved by crashing in the first place:

[W]e need to be mindful that crash dumps contain the contents of the crashing tab. With low frequency they may contain private or identifying information.

That’s why some users (we’re amongst that number) err on the side of caution and deliberately turn off crash reporting, for all that it might benefit the community to have it enabled.

And therein lies a dilemma for Mozilla: the organisation may already have collected data that wasn’t supposed to be uploaded, something that this update can’t reach back in time and fix.

Worse still for Mozilla, it can’t now tell which crash dump data was collected on account of the bug, and which of it was collected with consent.

Mozilla has therefore said it aims to get rid of information it’s not sure it ought to have collected, writing that “[o]ur goal is to have this data deleted in the next ten days”.

We think that’s a silver lining to this bug.

After all, we’ve seen mailing lists ask for ten days to remove us from their address database when we’ve unsubscribed – and that includes mailing lists that didn’t ask for permission to add us in the first place – without even offering to remove any else they might know about us at the same time.

What to do?

  • To check that Firefox is up to date, and to trigger an update if it isn’t, just go to the About Firefox menu option.
  • To revisit your chosen settings for crash reports, put the special URL about:preferences#privacy into the address bar.

Source link


Please enter your comment!
Please enter your name here