So in this case it was not a true vulnerability. there was no known exploit IRL, no POC, fission is just a sane concept, implemented in stable ESR after testing in Firefox. side channel attacks are already mitigated in CPU how we could know at the time of completely new and untested fission technology implementation it is not buggy? And so Firefox-esr 91.x was more vulnerable to side-channel attacks than Firefox until the 102 version-bump. It didn't get this site isolation until the 102.x series came around. I think they're both equal in security, it's just that the normal release has a more recent feature set.įirefox-esr at that time was the 91.x series. Firefox-esr is, after all, meant for universities and businesses, so it has to be more stable and reliable. They both get security updates as needed, but Firefox-esr is a more stable version as it doesn't include all the latest and greatest features that could end up making the browser less reliable and stable. I don't think it's that one is more secure than the other, it's that Firefox-esr is a more stable and reliable version. Just as a quick comparison here are the latest cves for Firefox and Firefox-esr. So is it just kind of a trade off? Sometimes Firefox-esr will be more secure and sometimes Firefox will be more secure? Or do you think that one will be generally more secure than the other over time? I read on a Reddit post that Firefox may have additional cve's because of when things change there will be additional holes. Now eventually Firefox is going to get some new security features that Firefox-esr doesn't have in which case I would expect that Firefox-esr will have some cve's that Firefox won't have. I checked all versions since 102.0 and over that time Firefox has not added any new security features. So at the moment Firefox-esr seems to be more secure than Firefox. So I checked the missing cve's in Debian's Security Bug Tracker and it turns out that the reason they were missing in Firefox-esr is because they weren't vulnerable in Firefox-esr. In each of them Firefox had more CVE's fixed than did the corresponding version of Firefox-esr. I've checked the last four major versions of Firefox and Firefox-esr.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |