Heard
of
cricket
(the
sport,
not
the
insect)?
It’s
much
like
baseball,
except
that
batters
can
hit
the
ball
wherever
they
like,
including
backwards
or
sideways;
bowlers
can
hit
the
batter
with
the
ball
on
purpose
(within
certain
safety
limits,
of
course
–
it
just
wouldn’t
be
cricket
otherwise)
without
kicking
off
a
20-minute
all-in
brawl;
there’s
almost
always
a
break
in
the
middle
of
the
afternoon
for
tea
and
cake;
and
you
can
score
six
runs
at
a
time
as
long
as
you
hit
the
ball
high
and
far
enough
(seven
if
the
bowler
makes
a
mistake
as
well).
Well,
as
cricket
enthusiasts
know,
111
runs
is
a
superstitious
score,
considered
unauspicious
by
many –
the
cricketer’s
equivalent
of
Macbeth
to
an
actor.
It’s
known
as
a
Nelson,
though
nobody
actually
seems
to
know
why.
Today
therefore
sees
Firefox’s
Nelson
release,
with
version
111.0
coming
out,
but
there
doesn’t
seem
to
be
anything
unauspicious
about
this
one.
Eleven
individual
patches,
and
two
batches-of-patches
As
usual,
there
are
numerous
security
patches
in
the
update,
including
Mozilla’s
usual
combo-CVE
vulnerability
numbers
for
potentially
exploitable
bugs
that
were
found
automatically
and
patched
without
waiting
to
see
if
a
proof-of-concept
(PoC)
exploit
was
possible:
-
CVE-2023-28176:
Memory
safety
bugs
fixed
in
Firefox
111
and
Firefox
ESR
102.9.
These
bugs
were
shared
between
the
current
version
(which
includes
new
features)
and
the
ESR
version,
short
for
extended
support
release
(security
fixes
applied,
but
with
new
features
frozen
since
version
102,
nine
releases
ago). -
CVE-2023-28177:
Memory
safety
bugs
fixed
in
Firefox
111
only.
These
bugs
almost
certainly
only
exist
in
new
code
that
brought
in
new
features,
given
that
they
didn’t
show
up
in
the
older
ESR
codebase.
These
bags-of-bugs
have
been
rated
High
rather
than
Critical.
Mozilla
admits
that
“we
presume
that
with
enough
effort
some
of
these
could
have
been
exploited
to
run
arbitrary
code”,
but
no
one
has
yet
figured
out
how
to
do
so,
or
even
if
such
exploits
are
feasible.
None
of
the
other
eleven
CVE-numbered
bugs
this
month
were
worse
thah
High;
three
of
them
apply
to
Firefox
for
Android
only;
and
no
one
has
yet
(so
far
as
we
yet
know)
come
up
with
a
PoC
exploit
that
shows
how
to
abuse
them
in
real
life.
Two
notably
interesting
vulnerabilities
appear
amongst
the
11,
namely:
-
CVE-2023-28161:
One-time
permissions
granted
to
a
local
file
were
extended
to
other
local
files
loaded
in
the
same
tab.
With
this
bug,
if
you
opened
a
local
file
(such
as
downloaded
HTML
content)
that
wanted
access,
say,
to
your
webcam,
then
any
other
local
file
you
opened
afterwards
would
magically
inherit
that
access
permission
without
asking
you.
As
Mozilla
noted,
this
could
lead
to
trouble
if
you
were
looking
through
a
collection
of
items
in
your
download
directory
–
the
access
permission
warnings
you’d
see
would
depend
on
the
order
in
which
you
opened
the
files. -
CVE-2023-28163:
Windows
Save
As
dialog
resolved
environment
variables.
This
is
another
keen
reminder
to
sanitise
thine
inputs,
as
we
like
to
say.
In
Windows
commands,
some
character
sequences
are
treated
specially,
such
as
,
%USERNAME%
which
gets
converted
to
the
name
of
the
currently
logged-on
user,
or
,
%PUBLIC%
which
denotes
a
shared
directory,
usually
in
.
C:Users
A
sneaky
website
could
use
this
as
a
way
to
trick
you
into
seeing
and
approving
the
download
of
a
filename
that
looks
harmless
but
lands
in
a
directory
you
wouldn’t
expect
(and
where
you
might
not
later
realise
it
had
ended
up).
What
to
do?
Most
Firefox
users
will
get
the
update
automatically,
typically
after
a
random
delay
to
stop
everyone’s
computer
downloading
at
the
same
moment…
…but
you
can
avoid
the
wait
by
manually
using
Help
>
About
(or
Firefox
>
About
Firefox
on
a
Mac)
on
a
laptop,
or
by
forcing
an
App
Store
or
Google
Play
update
on
a
mobile
device.
(If
you’re
a
Linux
user
and
Firefox
is
supplied
by
the
maker
of
your
distro,
do
a
system
update
to
check
for
the
availability
of
the
new
version.)