Mozilla Patches 11 Security Vulnerabilities in Firefox
Today’s topics include Firefox 64 dropping RSS and boosting tab management, and Shopify avoiding a data breach by using a bug program.
Firefox 64 has become generally available but without direct integrated support for RSS feed preview and live bookmarks. RSS is a capability that enables users to quickly see a list of recent items from a given website.
Mozilla stated, "We have realized that these features have an outsized maintenance and security impact relative to their usage. Removing the feed reader and Live Bookmarks allows us to focus on features that make a greater impact."
While RSS feed preview is no longer directly integrated into Firefox, there are third-party add-ons available that provide a similar type of functionality.
With Firefox 64, Mozilla has enhanced tab management capabilities, enabling users to move, close or bookmark multiple tabs at the same time. Also improved are a number of browser monitoring capabilities, including performance management.
Shopify outlined at KubeCon + CloudNativeCon NA 2018 in Seattle last week a bug bounty program and its vendor partner Google that helped Shopify avoid a potentially disastrous flaw that could have enabled an attacker to take over its Kubernetes cluster.
To help identify unknown flaws, Shopify uses a managed bug bounty program on the HackerOne platform, where security researchers are rewarded for responsibly and privately disclosing flaws. Over 300 hackers have participated in the program in the past three years, and more than $1 million have been awarded in bug bounties.
The specific Kubernetes cluster flaw detailed at KubeCon was discovered by security researcher Andre Baptista, who was awarded $25,000. He was able to exploit a Server Side Request Forgery to obtain a Google service account token and the Kube-env variable, which provided a Kubelet token, which in turn was used to gain full control of the cluster.