Software & Apps

Firefox, Chrome each fix more than a dozen vulnerabilities

Posted on by

On Tuesday, August 1, Mozilla released Firefox 116, the monthly major version-incrementing update for its Web browser. Aside from a few minor feature updates and under-the-hood changes, Firefox 116 also fixes 14 vulnerabilities that had CVE numbers assigned to them.

Mozilla rates the overall severity of these vulnerabilities as “high.” Individually, Mozilla rates nine vulnerabilities as “high,” four as “moderate,” and one as “low” severity.

CVE stands for Common Vulnerabilities and Exposures; it’s a standard that gives a unique name to each vulnerability. This makes it easier to identify the same vulnerability as it may apply to multiple products.

As we mentioned last month, this month’s Firefox release no longer supports a number of Mac and Windows operating systems. Mozilla has stopped supporting three Mac operating systems all at once: macOS Sierra (10.12), macOS High Sierra (10.13), and macOS Mojave (10.14). The company has also ended support for Windows 7, Windows 8, and Windows 8.1. Notably, none of these operating systems are still getting security updates from Apple or Microsoft, respectively.

Firefox to end macOS Mojave, Windows 7/8 updates—Here’s why that’s a good thing

Google also updated Chrome this week

Today, on Wednesday, August 2, Google also released updates for its Chrome browser. Chrome version 115.0.5790.170 includes 17 security fixes, including 11 CVEs reported by external entities. Of those 11, Google rates two as “medium” and the remaining nine as “high” severity vulnerabilities.

One of those nine is a high-severity WebGL vulnerability that Apple reported to Google.

Many popular alternative browsers are built upon the same Chromium open-source software upon which Chrome is based. Among them are Microsoft Edge, Brave, Opera, and Vivaldi. As of publication time, none of these have released corresponding browser updates yet. Updates for each of these browsers will likely arrive within the next week or so. Updates: Brave and Vivaldi released corresponding updates on Thursday, August 3. Microsoft released a corresponding Edge update on August 7. As of this article’s last update on August 8, Opera had not yet patched its browser.

What else is noteworthy about these updates?

The fact that both browsers patched nine high-severity vulnerabilities is coincidental. No overlap exists between the CVEs addressed in Firefox (numbered CVE-2023-4045 through -4058) and those addressed in Chrome (numbered -4068 through -4078).

Neither Mozilla nor Google indicates that any of these vulnerabilities are known to have been actively exploited in the wild. Nevertheless, it’s always advisable to install security updates quickly. Once vulnerability details become public knowledge, threat actors can potentially start exploiting those vulnerabilities in real-world attacks.

If you’re wondering about Safari, it uses different page rendering engines from Firefox and Chrome. No updates are needed at this time, assuming you installed the security updates Apple released on July 24.

Urgent: macOS Ventura 13.5, iOS 16.6, etc. fix major kernel vulnerability

How can I update Firefox, Chrome, or other desktop browsers?

Mac users can update their browsers by clicking on the application menu (e.g. “Firefox” or “Chrome,” next to the Apple logo menu), and then clicking the first item in that menu (e.g. “About Firefox” or “About Google Chrome”). The browser will check for updates, and if an update is available, you will see a prompt to restart the app to complete the update.

The one major Mac browser that doesn’t follow this convention is Vivaldi. After clicking on the Vivaldi menu (next to the Apple menu), click on “Check for Updates…” to ensure you have the latest version installed.

Windows users can update their browsers by following the steps provided by each browser maker: Firefox, Chrome, Edge, Brave, Vivaldi, and Opera.

As of publication time, so far only Firefox and Chrome had addressed the aforementioned vulnerabilities. Updates for each of the other browsers will likely arrive within the next week or so. Updates: Brave and Vivaldi released corresponding updates on Thursday, August 3. Microsoft released a corresponding Edge update on August 7. As of this article’s last update on August 8, Opera had not yet patched its browser.

Meanwhile, Apple’s Safari browser is presumably unaffected by this week’s Firefox and Chrome vulnerabilities. Apple updates Safari alongside macOS; the most recent update arrived last week, on July 24. Although Apple once developed a Windows version of Safari, its last update was in 2012.

Android mobile browsers are affected, too

Mozilla and Google updated their respective Android browsers to address the same vulnerabilities. Android users should check the Google Play Store app for the latest versions of Firefox and Chrome.

Apple requires all mobile browsers in the App Store to use Safari’s WebKit engine, rather than their native engines. Therefore, this week’s vulnerabilities presumably do not affect the iOS or iPadOS versions of any Web browsers. If you would like to update your iPhone and iPad browsers anyway, you can do so via the App Store; here’s how to manually check for and install updates. Note that Vivaldi for iOS is still an invite-only beta and is not yet available in the App Store.

Sometime after the release of iOS 17 and iPadOS 17, third-party app stores may become a reality—at least in the EU, for compliance with the Digital Markets Act. Apple must comply with the DMA no later than March 2024. It’s possible that third-party stores may eventually distribute alternative browser versions that use their own engines, rather than the WebKit-locked App Store versions. Or, hypothetically, Apple might decide to change its policy on third-party browser engines, if major players like Google, Mozilla, and Microsoft remove their apps from Apple’s App Store in favor of alternative stores. Only time will tell.

Some non-browser apps may soon need updates

As we’ve noted in the past, many non-browser apps, including Electron apps, also rely on the Chromium browser codebase for rendering HTML content. These may include the desktop versions of apps like 1Password, Discord, Dropbox, Figma, GitHub, Microsoft Teams, Signal, Skype, Slack, Trello, Twitch, WhatsApp, WordPress, and Zoom. Notably, the Electron framework does not get updated in tandem with Chromium, so some Electron-based apps may remain vulnerable for months.

For this and other reasons, it’s important to keep all your other apps updated as well. To update Mac App Store apps, open the App Store, then click Updates, and click on Update All. Apps obtained outside of the App Store usually have their own in-app update mechanism or a separate updater app. In some cases, you may need to update an app manually by downloading a new version from the developer’s site.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →