Mozilla has reinstated certain add-ons for Firefox that earlier this week had been banned in Russia by the Kremlin. From a report: The browser extensions, which are hosted on the Mozilla store, were made unavailable in the Land of Putin on or around June 8 after a request by the Russian government and its internet censorship agency, Roskomnadzor. Among those extensions were three pieces of code that were explicitly designed to circumvent state censorship -- including a VPN and Censor Tracker, a multi-purpose add-on that allowed users to see what websites shared user data, and a tool to access Tor websites. The day the ban went into effect, Roskomsvoboda -- the developer of Censor Tracker -- took to the official Mozilla forums and asked why his extension was suddenly banned in Russia with no warning.
Two days ago, I broke the news that Mozilla removed several Firefox extensions from the add-on store in Russia, after pressure from Russian censors. Mozilla provided me with an official statement, which seemed to highlight that the decision was not final, and it seems I was right – today, probably helped by the outcry our story caused, Mozilla has announced it’s reversing the decision. In a statement sent to me via email, an unnamed Mozilla spokesperson says:
In alignment with our commitment to an open and accessible internet, Mozilla will reinstate previously restricted listings in Russia. Our initial decision to temporarily restrict these listings was made while we considered the regulatory environment in Russia and the potential risk to our community and staff.
As outlined in our Manifesto, Mozilla’s core principles emphasise the importance of an internet that is a global public resource, open and accessible to all. Users should be free to customise and enhance their online experience through add-ons without undue restrictions.
By reinstating these add-ons, we reaffirm our dedication to:
– Openness: Promoting a free and open internet where users can shape their online experience. – Accessibility: Ensuring that the internet remains a public resource accessible to everyone, regardless of geographical location.
We remain committed to supporting our users in Russia and worldwide and will continue to advocate for an open and accessible internet for all.
↫ Mozilla spokesperson via email
I’m glad Mozilla reversed its decision, because giving in to a dictatorship never ends well – it starts with a few extensions today, but ends up with the kind of promotional tours for China that Tim Cook goes on regularly. Firefox is a browser that lives or dies by its community, and if that community is unhappy with the course of Mozilla or the decisions it makes, especially ones that touch on core values and human rights, it’s not going to end well for them.
That being said, this does make me wonder what would’ve happened if the forum thread that started all this died in obscurity and never made its way to the media. Would Mozilla have made the same reversal?
A few days ago, I was pointed to a post on the Mozilla forums, in which developers of Firefox extensions designed to circumvent Russian censorship were surprised to find that their extensions were suddenly no longer available within Russia. The extension developers and other users in the thread were obviously not amused, and since they had received no warning or any other form of communication from Mozilla, they were left in the dark as to what was going on.
I did a journalism and contacted Mozilla directly, and inquired about the situation. Within less than 24 hours Mozilla got back to me with an official statement, attributed to an unnamed Mozilla spokesperson:
Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store. After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.
↫ Mozilla spokesperson via email
I and most people I talked to already suspected this was the case, and considering Russia is a totalitarian dictatorship, it’s not particularly surprising it would go after browser extensions that allow people to circumvent state censorship. Other totalitarian dictatorships like China employ similar, often far more sophisticated methods of state control and censorship, too, so it’s right in line with expectations.
I would say that I’m surprised Mozilla gave in, but at the same time, it’s highly likely resisting would lead to massive fines and possible arrests of any Mozilla employees or contributors living in Russia, if any such people exist, and I can understand a non-profit like Mozilla not having the means to effectively stand up against the Russian government. That being said, Mozilla’s official statement seems to imply they’re still in the middle of their full decision-making process regarding this issue, so other options may still be on the table, and I think it’s prudent to give Mozilla some more time to deal with this situation.
Regardless, this decision is affecting real people inside Russia, and I’m sure if you’re using tools like these inside a totalitarian dictatorship, you’re probably not too fond of said dictatorship. Losing access to these Firefox extensions through the official add-store will be a blow to their human rights, so let’s hope the source code and ‘sideloaded’ versions of these extensions remain available for them to use instead.
Linux distributions running on ARM have had to roll their own Firefox builds for the architecture since forever, and it seems that Mozilla has taken this to heart as the browser maker is now supplying binary ARM builds of Firefox. They come in either a tarball or a .deb package installable through Mozilla’s apt repository. Do note, though, that Mozilla does not give the same kinds of guarantees for the ARM build of Firefox as they do for the x86 builds.
We want to be upfront about the current state of our ARM64 builds. Although we are confident in the quality of Firefox on this architecture, we are still incorporating comprehensive ARM64 testing into Firefox’s continuous integration and release pipeline. Our goal is to integrate ARM64 builds into Firefox’s extensive automated test suite, which will enable us to offer this architecture across the beta, release, and ESR channels.
These new builds won’t mean much for the average ARM Linux user since distributions built Firefox for the architecture already anyway, but it does offer users a direct line to Firefox they didn’t have before.
Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox.
Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.
Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to Help, and select About Firefox. The About Mozilla Firefox window will open.
Firefox will check for updates automatically. If an update is available, it will be downloaded.
You will be prompted when the download is complete, then click Restart to update Firefox.
To change the way in which Firefox installs updates, you can:
Click the menu button (3 horizontal stripes) and select Settings.
In the General panel, go to the Firefox Updates section.
Here you can adjust the settings to your liking.
The vulnerabilities
The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:
CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.
An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.
CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.
Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.
An event handler is a program function that is executed by the application or operating system when an event is executed on the application.
Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.
Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Login
