One of my biggest concerns regarding the state of the web isn’t ads (easily blocked) or machine learning (the legal system isn’t going to be kind to that), but the possible demise of Firefox. I’ve long been worried that with the seemingly never-ending downward marketshare spiral Firefox is in – it’s at like 3% now on desktop, even less on mobile – Mozilla’s pretty much sole source of income will eventually pull the plug, leaving the already struggling browser effectively for dead. I’ve continuously been warning that the first casualty of the downward spiral would be Firefox on platforms other than Windows and macOS.

So, what do we make of Mozilla buying an online advertising analytics company?

Mozilla has acquired Anonym, a trailblazer in privacy-preserving digital advertising. This strategic acquisition enables Mozilla to help raise the bar for the advertising industry by ensuring user privacy while delivering effective advertising solutions.

↫ Laura Chambers

They way Mozilla explains buying an advertising network is that the company wants to be a trailblazer privacy-conscious online advertising, since the current brand of online advertising, which relies on massive amounts of data collection, is unsustainable. Anonym instead employs a number of measures to ensure that privacy is guaranteed, from anonymous analytics to employing differential privacy when it comes to algorithms, ensuring data can’t be used to tack individual users.

I have no reason to doubt Mozilla’s intentions here – at least for now – but intentions change, people in charge change, and circumstances change. Having an ad network integrated into the Mozilla organisation will surely lead to temptations of weakening Firefox’ privacy features and ad-blocking abilities, and just overall I find it an odd acquisition target for something like Mozilla, and antithetical to why most people use Firefox in the first place.

What really doesn’t help is who originally founded Anonym – two former Facebook executives, backed by a load of venture capital. Do with that little tidbit of information as you please.

Mozilla has acquired ad metrics firm Anonym in a move to "support user privacy" while delivering effective online advertising. Anonym, founded by former Meta executives in 2022, helps advertisers and ad networks measure the performance of online ads while preserving user privacy. The acquisition comes amid growing consumer concerns and regulatory scrutiny over current data practices in the advertising industry. Mozilla CEO Laura Chambers sees this as a pivotal shift in the coexistence of privacy and advertising. Mozilla maintains that advertising is the underlying business model of the web, but it can be reformed to minimize societal harms.

Read more of this story at Slashdot.

Two days ago, I broke the news that Mozilla removed several Firefox extensions from the add-on store in Russia, after pressure from Russian censors. Mozilla provided me with an official statement, which seemed to highlight that the decision was not final, and it seems I was right – today, probably helped by the outcry our story caused, Mozilla has announced it’s reversing the decision. In a statement sent to me via email, an unnamed Mozilla spokesperson says:

In alignment with our commitment to an open and accessible internet, Mozilla will reinstate previously restricted listings in Russia. Our initial decision to temporarily restrict these listings was made while we considered the regulatory environment in Russia and the potential risk to our community and staff.

As outlined in our Manifesto, Mozilla’s core principles emphasise the importance of an internet that is a global public resource, open and accessible to all. Users should be free to customise and enhance their online experience through add-ons without undue restrictions.

By reinstating these add-ons, we reaffirm our dedication to:

– Openness: Promoting a free and open internet where users can shape their online experience.
– Accessibility: Ensuring that the internet remains a public resource accessible to everyone, regardless of geographical location.

We remain committed to supporting our users in Russia and worldwide and will continue to advocate for an open and accessible internet for all.

↫ Mozilla spokesperson via email

I’m glad Mozilla reversed its decision, because giving in to a dictatorship never ends well – it starts with a few extensions today, but ends up with the kind of promotional tours for China that Tim Cook goes on regularly. Firefox is a browser that lives or dies by its community, and if that community is unhappy with the course of Mozilla or the decisions it makes, especially ones that touch on core values and human rights, it’s not going to end well for them.

That being said, this does make me wonder what would’ve happened if the forum thread that started all this died in obscurity and never made its way to the media. Would Mozilla have made the same reversal?

A few days ago, I was pointed to a post on the Mozilla forums, in which developers of Firefox extensions designed to circumvent Russian censorship were surprised to find that their extensions were suddenly no longer available within Russia. The extension developers and other users in the thread were obviously not amused, and since they had received no warning or any other form of communication from Mozilla, they were left in the dark as to what was going on.

I did a journalism and contacted Mozilla directly, and inquired about the situation. Within less than 24 hours Mozilla got back to me with an official statement, attributed to an unnamed Mozilla spokesperson:

Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store. After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.

↫ Mozilla spokesperson via email

I and most people I talked to already suspected this was the case, and considering Russia is a totalitarian dictatorship, it’s not particularly surprising it would go after browser extensions that allow people to circumvent state censorship. Other totalitarian dictatorships like China employ similar, often far more sophisticated methods of state control and censorship, too, so it’s right in line with expectations.

I would say that I’m surprised Mozilla gave in, but at the same time, it’s highly likely resisting would lead to massive fines and possible arrests of any Mozilla employees or contributors living in Russia, if any such people exist, and I can understand a non-profit like Mozilla not having the means to effectively stand up against the Russian government. That being said, Mozilla’s official statement seems to imply they’re still in the middle of their full decision-making process regarding this issue, so other options may still be on the table, and I think it’s prudent to give Mozilla some more time to deal with this situation.

Regardless, this decision is affecting real people inside Russia, and I’m sure if you’re using tools like these inside a totalitarian dictatorship, you’re probably not too fond of said dictatorship. Losing access to these Firefox extensions through the official add-store will be a blow to their human rights, so let’s hope the source code and ‘sideloaded’ versions of these extensions remain available for them to use instead.

Mozilla has announced a 0Day Investigative Network (0Din) bug bounty program for LLMs and other deep learning tech.

The post Mozilla Launches 0Din Gen-AI Bug Bounty Program appeared first on SecurityWeek.

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox.

Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.

Version number should read 124.0.1 or higher

Other users can update their browser by following these instructions:

• Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to Help, and select About Firefox. The About Mozilla Firefox window will open.
• Firefox will check for updates automatically. If an update is available, it will be downloaded.
• You will be prompted when the download is complete, then click Restart to update Firefox.

To change the way in which Firefox installs updates, you can:

• Click the menu button (3 horizontal stripes) and select Settings.
• In the General panel, go to the Firefox Updates section.
• Here you can adjust the settings to your liking.

The vulnerabilities

The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:

CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.

CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.

An event handler is a program function that is executed by the application or operating system when an event is executed on the application.

Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.

Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.