Threat Watch

Mozilla has Updated Firefox to 92.0 and Firefox ESR to 78.14.0, OpenSSL 3.0 Released

Mozilla has updated both Firefox proper and Firefox ESR. Mozilla has included several performance and feature updates such as “…automatically upgrading to HTTP using HTTPS RR as Alt-Svc headers”. There have been quite a few security fixes such as CVE-2021-38493 correcting memory safety issues in Firefox 92, Firefox ESR 78.14 and Firefox 91.1, allowing for arbitrary code execution in userland. In FireFox 92 has significantly improved the UI involving certificate errors displaying information in a more user-friendly way.

After three years of development, OpenSSL 3.0 has been released with a rather surprising 94% increase in documentation available. Due to safety concerns, API functions have been deprecated and alternative use of API’s has been suggested as a work around. Most importantly, the OpenSSL Fips Module has been fully implemented and is waiting on a certificate from NIST anticipated later this year. FIPS 140-2 compliance specifies the security requirements to be satisfied by a cryptographic module according to NIST. Finally, OpenSSL 3.0 has transitioned to  Apache License 2.0—the previous license applies to older versions in production.

ANALYST NOTES

As always, it is best to update critical software as soon as it is viable for the enterprise environment. The updates discussed in this brief offer many more benefits in addition to the security updates. OpenSSL has significantly improved their cryptographic functionality, applying for recognition from NIST as well.

https://www.mozilla.org/en-US/firefox/92.0/releasenotes/

https://www.mozilla.org/en-US/firefox/78.14.0/releasenotes/

https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/