Mozilla released Firefox 133 to the stable channel on November 26, 2024, for Windows, macOS, Linux, and Android (version 133.0). This update focuses heavily on security, fixing 17 vulnerabilities, including two rated “High” severity that could lead to memory corruption and potential arbitrary code execution.
These issues were reported by independent researchers through Mozilla’s Bug Bounty Program, with no in-the-wild exploitation reported at launch. The patches also apply to Firefox ESR 128.5 and Thunderbird 128.5.
Critical Security Fixes
The vulnerabilities primarily involve memory safety errors, spoofing risks, and bypasses in protections like CSP and download warnings. High-severity issues include:
• CVE-2024-11699 (High): Memory safety bugs fixed in Firefox 133, presumed exploitable for arbitrary code execution. Reported by Andrew McCreight and Akmat Suleimanov.
• CVE-2024-11691 (High): Out-of-bounds write in Apple GPU drivers via WebGL, affecting Apple M-series hardware only. Reported by Dohyun Lee, Youngho Choi, and Geumhwan Cho of Korea University.
Other notable moderate-severity fixes:
• CVE-2024-11700: Potential tapjacking on Android for intent confirmation.
• CVE-2024-11692: Select list elements shown over another site, enabling spoofing.
• CVE-2024-11694: CSP bypass and XSS via Web Compatibility Shims.
• CVE-2024-11693: Download protections bypassed by .library-ms files on Windows.
• CVE-2024-11703: Password access without authentication via PIN bypass on Android.
Low-severity issues cover crashes, data races, and UI glitches like fullscreen lock-ups on macOS. Full details are in Mozilla’s Security Advisory MFSA2024-63.
Why Update Immediately?
Firefox powers over 200 million daily users, making it a frequent target for zero-day exploits—especially memory bugs in rendering engines like WebGL. Update to prevent sandbox escapes, data leaks, or phishing via spoofed UI. No active attacks are known, but proactive patching is key.
To update:
• Go to about:preferences#general > Firefox Updates.
• Or download from mozilla.org/firefox.
Other Notable Changes
• Bounce Tracking Protection: New feature in Strict Enhanced Tracking Protection mode detects and purges bounce trackers (redirect-based) to stop cross-site tracking.
• Synced Tabs Sidebar: Access tabs from other devices directly from the Tab overview menu.
• Canvas2D Backend: Switched to a cross-platform acceleration backend on Windows for better performance.
• Picture-in-Picture Reliability: Auto-open on tab switch now works more consistently across sites.
• System Support Drop: No longer supports Windows 8.1 or earlier, or macOS 10.14 or earlier—use Firefox ESR for legacy systems.
This release strengthens privacy and stability—update today for peace of mind. Questions on specific CVEs or features? Fire away!