Mozilla released its Firefox 53 update on April 19, introducing a new browser engine and patching 39 vulnerabilities in the open-source web browser.
The new browser engine technology in Firefox 53 is known as Project Quantum and is a multipart effort to accelerate and improve the web browsing experience for users. The Project Quantum component included in Firefox 53 is known as the Quantum Compositor; it is designed to help reduce the number of browser crashes due to graphics issues.
With the Quantum Compositor, graphics rendering is now done separately from the main Firefox process. Mozilla’s early testing for the Quantum Compositor found that it reduces the number of browser crashes by 10 percent.
“The compositor determines what you see on your screen by flattening into one image all the layers of graphics that the browser computes, kind of like how Photoshop combines layers,” Nick Nguyen, vice president for Firefox at Mozilla, wrote in a blog post.
Firefox 53 also introduces two new user interface themes. The Compact Light theme provides users with a more compact, smaller user interface using the default Firefox color scheme. The Compact Dark theme also has a compact user interface, but it provides a darker color scheme for night browsing.
In addition to the browser improvements, Mozilla patched 39 security vulnerabilities in the Firefox 53 update. Of those 39 vulnerabilities, seven are rated by Mozilla as being critical.
As with nearly all Firefox updates, one of the critical vulnerability updates deals with memory safety bugs.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla warned in its advisory.
Among the other critical vulnerabilities patched in Firefox 53, two are use-after-free (UAF) memory vulnerabilities (CVE-2017-5435 and CVE-2017-5433). Two other critical vulnerabilities are out-of-bounds memory errors (CVE-2017-5436 and CVE-2017-5461), plus there is a critical buffer overflow issue (CVE-2017-5459) that has been patched.
Beyond the critical issues that Mozilla fixed, it also patched three sandbox escape issues (CVE-2017-5454, CVE-2017-5455 and CVE-2017-5456) in Firefox 53 that are rated as having high impact. The Firefox sandbox is intended to restrict the ability of a given process to access areas of a system outside of the process sandbox.
“A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths,” Mozilla warns in its advisory. “This allows for read only access to the local file system.”