176 replies to this topic

[AplusWebMaster]

FYI...

Firefox 50.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....1/releasenotes/
Nov 28, 2016
> https://www.mozilla..../#firefox50.0.1
Security vulnerabilities fixed in Firefox 50.0.1
> https://www.mozilla....es/mfsa2016-91/
CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
Impact: Critical
___

- http://www.securityt....com/id/1037353
CVE Reference: https://cve.mitre.or...e=CVE-2016-9078
Nov 29 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 49, 50 ...
Description: A vulnerability was reported in Mozilla Firefox. A remote user can bypass security controls on the target system.
A remote user can return a specially crafted HTTP redirection to a 'data:' URL to bypass same-origin controls and allow the referring domain to access data in the 'data:' URL domain.
Impact: A remote user can bypass same-origin restrictions to potentially read or write information from 'data:' URLs.
Solution: The vendor has issued a fix (50.0.1)...
___

- https://www.us-cert....Security-Update
Nov 28, 2016
 

:ph34r: :ph34r:

Edited by AplusWebMaster, 30 November 2016 - 05:26 AM.

[AplusWebMaster]

FYI...

Firefox 50.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....2/releasenotes/
Nov 30, 2016
> https://www.mozilla..../#firefox50.0.2
Fixed in:
 Firefox 50.0.2
 Firefox ESR 45.5.1
 Thunderbird 45.5.1
> https://www.mozilla....es/mfsa2016-92/
CVE-2016-9079: Use-after-free in SVG Animation
Critical
___

- http://www.securityt....com/id/1037370
CVE Reference: https://cve.mitre.or...e=CVE-2016-9079
Updated: Dec 1 2016
Original Entry Date: Nov 30 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 50.0.1; possibly earlier versions
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (50.0.2; ESR 45.5.1)...
___

- https://www.us-cert....ecurity-Updates
Nov 30, 2016
 

:ph34r: :ph34r:

[AplusWebMaster]

FYI...

Firefox 50.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....0/releasenotes/
Dec 13, 2016
- https://www.mozilla....ox/#firefox50.1
> https://www.mozilla....es/mfsa2016-94/
CVE-2016-9894: Buffer overflow in SkiaGL - Critical
CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - Critical
CVE-2016-9895: CSP bypass using marquee tag - High
CVE-2016-9896: Use-after-free with WebVR - High
CVE-2016-9897: Memory corruption in libGLES - High
CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - High
CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - High
CVE-2016-9904: Cross-origin information leak in shared atoms - High
CVE-2016-9901: Data from Pocket server improperly sanitized before execution - Moderate
CVE-2016-9902: Pocket extension does not validate the origin of events - Moderate
CVE-2016-9903: XSS injection vulnerability in add-ons SDK - Moderate
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - Critical
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - Critical
___

- http://www.securityt....com/id/1037461
CVE Reference: CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904
Dec 14 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 50.1; ESR prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (50.1; ESR 45.6)...

- http://www.securityt....com/id/1037462
CVE Reference: CVE-2016-9905
Dec 14 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (ESR 45.6)...

Firefox ESR 45.6: https://www.mozilla....#firefoxesr45.6
 

:ph34r: :ph34r:

Edited by AplusWebMaster, 14 December 2016 - 10:06 AM.

[AplusWebMaster]

FYI...

Update on Firefox Support for Windows XP and Vista
- https://blog.mozilla...r-xp-and-vista/
Dec 23, 2016 - "In approximately March, 2017, Windows XP and Vista users will automatically be moved to the Firefox Extended Support Release (ESR*).
Firefox is one of the few browsers that continues to support Windows XP and Vista, and we expect to continue to provide security updates for users until September 2017. Users do not need to take additional action to receive those updates. In mid-2017, user numbers on Windows XP and Vista will be reassessed and a final support end date will be announced. In the meantime, we strongly encourage our users to upgrade to a version of Windows that is supported by Microsoft. Unsupported operating systems receive no security updates, have known exploits, and are dangerous for you to use. For planning purposes, enterprises using Firefox should consider September 2017 as the support end date for Windows XP and Vista. For more information please visit the Firefox support page**."
* https://www.mozilla..../organizations/

** https://support.mozi...ws-xp-and-vista
"... Firefox version 52 will be the last complete update for Windows XP and Windows Vista. Security updates will be released, but no new features... Firefox is one of the only browsers to offer any support for Windows XP and Vista. Microsoft itself ended support for Windows XP in 2014 and will end support for Windows Vista in 2017. Unsupported operating systems receive no security updates, have known exploits, and can be dangerous to use, which makes it difficult to maintain Firefox on those versions.
Firefox security updates for XP and Vista users will continue until September 2017, although new features will not be offered. In mid-2017, a final support end date will be announced based on the number of users still on Windows XP and Vista..."  

> https://www.mozilla....anizations/faq/
 

:ph34r: :ph34r:

[AplusWebMaster]

FYI...

Firefox 51.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

 

Release notes
- https://www.mozilla....0/releasenotes/
Jan 24, 2017

Security vulnerabilities fixed in Firefox 51
- https://www.mozilla....efox/#firefox51
Security vulnerabilities fixed in Firefox 51
- https://www.mozilla....es/mfsa2017-01/
Critical
CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
CVE-2017-5376: Use-after-free in XSL
CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
CVE-2017-5374: Memory safety bugs fixed in Firefox 51
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7

Firefox ESR 45.7: https://www.mozilla....#firefoxesr45.7
___

- http://www.securityt....com/id/1037693
CVE Reference: CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5392, CVE-2017-5393, CVE-2017-5394, CVE-2017-5395, CVE-2017-5396
Jan 25 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 51.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can gain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (51.0, ESR 45.7)...
 

:ph34r:

Edited by AplusWebMaster, 25 January 2017 - 04:07 AM.

[AplusWebMaster]

FYI...

Firefox 52.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....0/releasenotes/
Mar 7, 2017
New:
- Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.
- Enabled multi-process Firefox for Windows users with touch screens
- Added user warnings for non-secure HTTP pages with logins. Firefox now displays a “This connection is not secure” message when users click into the username and password fields on pages that don’t use HTTPS.
- Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.
- Enhanced Sync to allow users to send and open tabs from one device to another...
Changed:
- Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported:
> https://support.mozi...s-no/ta-p/31069
>> Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR*) version of Firefox...

[Corrections:
> https://www.mozilla....m-requirements/
... Windows
Operating Systems (32-bit and 64-bit)
    Windows XP SP2
    Windows Server 2003 SP1
    Windows Vista
    Windows 7
    Windows 8
    Windows 10
Please note that 64-bit builds of Firefox are only supported on Windows 7 and higher.
Windows XP/Vista/Server 2003 are no longer supported by regular Firefox releases.
These users should migrate to ESR 52..."
[Direct download for Firefox Extended Support Release]:
>> https://www.mozilla....anizations/all/
... which -is- the new -supported- version for for XP and Vista.]

 

Firefox ESR Overview
- https://www.mozilla....anizations/faq/
 

Security vulnerabilities fixed in Firefox 52
- https://www.mozilla....efox/#firefox52
Fixed in Firefox 52
- https://www.mozilla....es/mfsa2017-05/
Critical
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
CVE-2017-5401: Memory Corruption when handling ErrorResult
CVE-2017-5402: Use-after-free working with events in FontFace objects
CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
CVE-2017-5404: Use-after-free working with ranges in selections
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

- http://www.securityt....com/id/1037966
CVE Reference: CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5409, CVE-2017-5410, CVE-2017-5411, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5425, CVE-2017-5426, CVE-2017-5427
Mar 8 2017
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can delete files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (52.0)...

* Firefox ESR 45.8: https://www.mozilla....#firefoxesr45.8

___

- https://www.us-cert....Security-Update
Mar 7, 2017
 

:ph34r: :ph34r:

Edited by AplusWebMaster, 09 March 2017 - 03:58 PM.

[AplusWebMaster]

FYI...

Firefox 52.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

ESR download: https://www.mozilla....anizations/all/

Release notes
- https://www.mozilla....1/releasenotes/
March 17, 2017
Various security fixes
- https://www.mozilla..../#firefox52.0.1

- https://www.mozilla....irefoxesr52.0.1

> https://www.mozilla....es/mfsa2017-08/
Critical
March 17, 2017
Fixed in:
- Firefox 52.0.1
- Firefox ESR 52.0.1
CVE-2017-5428: integer overflow in createImageBitmap()

- http://www.securityt....com/id/1038060
CVE Reference: CVE-2017-5428
Mar 17 2017
Version(s): 52.0; possibly prior versions...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (52.0.1, ESR 52.0.1)...
 

:ph34r: :ph34r:

Edited by AplusWebMaster, 18 March 2017 - 10:37 AM.

[AplusWebMaster]

FYI...

Firefox 53.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

XP/Vista: 52.1.0 ESR download: https://www.mozilla....anizations/all/

Release notes
- https://www.mozilla....0/releasenotes/
April 19, 2017
Fixed:
 Various security fixes:
- https://www.mozilla....efox/#firefox53

- https://www.mozilla....es/mfsa2017-10/
Security vulnerabilities fixed in Firefox 53
Critical:
CVE-2017-5433: Use-after-free in SMIL animation functions
CVE-2017-5435: Use-after-free during transaction processing in the editor
CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
CVE-2017-5459: Buffer overflow in WebGL
CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL
CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

- https://www.mozilla....es/mfsa2017-12/
Security vulnerabilities fixed in Firefox ESR 52.1
___

- http://www.securityt....com/id/1038320
CVE Reference: CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469
Apr 20 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 53.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain files on the target system.
A remote user can spoof a URL.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (53.0)...
___

- https://www.us-cert....ecurity-Updates
April 19, 2017
 

:ninja: :ninja:

Edited by AplusWebMaster, 20 April 2017 - 05:20 AM.

[AplusWebMaster]

FYI...

Firefox 53.0.2 released
- https://www.mozilla....2/releasenotes/
May 5, 2017

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

XP/Vista: 52.1.1 ESR download: https://www.mozilla....anizations/all/
> https://www.mozilla....1/releasenotes/

Fixed:
 Make form validation errors and date picker panel visible to the user (Bug 1341190)
 Various security fixes*

* https://www.mozilla..../#firefox53.0.2
High
CVE-2017-5031: Use after free in ANGLE
- https://www.mozilla....es/mfsa2017-14/
___

- https://www.us-cert....ecurity-Updates
May 05, 2017
 

:ninja: :ninja:

Edited by AplusWebMaster, 06 May 2017 - 06:40 AM.

[AplusWebMaster]

FYI...

Firefox 53.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....3/releasenotes/
May 19, 2017
Fixed:
- Fix excessive resource usage from the captive portal detection service (bug 1359697)
- Fix hangs when using a proxy with NTLM authentication (bug 1360574)...

XP/Vista: 52.1.2 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla....anizations/all/

- https://www.mozilla....2/releasenotes/
May 19, 2017
Fixed:
- Fix hangs when using a proxy with NTLM authentication (bug 1360574)
 

:ninja:

[AplusWebMaster]

FYI...

Firefox 54.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....0/releasenotes/
June 13, 2017
New:
- Simplified the download button and download status panel
- Added support for multiple content processes (e10s-multi)
Various security fixes:
- https://www.mozilla....efox/#firefox54

Security vulnerabilities fixed in Firefox 54
> https://www.mozilla....es/mfsa2017-15/
Critical:
CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
CVE-2017-5471: Memory safety bugs fixed in Firefox 54
CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
___

XP/Vista: 52.2.0 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla....anizations/all/

Release notes:
- https://www.mozilla....0/releasenotes/
June 13, 2017

- https://www.mozilla....#firefoxesr52.2

Security vulnerabilities fixed in Firefox ESR 52.2
> https://www.mozilla....es/mfsa2017-16/
Critical:
CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
___

- https://www.us-cert....ecurity-Updates
June 13, 2017
___

- http://www.securityt....com/id/1038689
CVE Reference: CVE-2017-5470, CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7759, CVE-2017-7760, CVE-2017-7761, CVE-2017-7762, CVE-2017-7763, CVE-2017-7764, CVE-2017-7765, CVE-2017-7766, CVE-2017-7767, CVE-2017-7768, CVE-2017-7770, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
Jun 14 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 54.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A local user can modify files on the target system.
A remote user can obtain files on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 52.2; 54.0)...
 

:ninja:

Edited by AplusWebMaster, 14 June 2017 - 05:49 AM.

[AplusWebMaster]

FYI...

Firefox 54.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....1/releasenotes/
June 29, 2017
Fixed:
 Fix a display issue of tab title (bug 1357656)
 Fix a display issue of opening new tab (bug 1371995)
 Fix a display issue when opening multiple tabs (bug 1371962)
 Fix a tab display issue when downloading files (bug 1373109)
 Fix a PDF printing issue (bug 1366744)
 Fix a Netflix issue on Linux (bug 1375708)
___

XP/Vista: 52.2.1 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla....anizations/all/

Release notes:
- https://www.mozilla....1/releasenotes/
June 29, 2017

Fixed: Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)
 

:ninja:

[TheJoker]

FYI...

 

Firefox 55.0.1 released

August 10, 2017

 

 

Start Firefox, then >Help >About >Apply Update ...
-or-
Download:

https://www.mozilla....US/firefox/all/

 

Release notes:

https://www.mozilla....1/releasenotes/

 

• Fix a rendering issue with some PKCS#11 libraries (bug 1388370)

• Fix a problem causing What's new pages not to be displayed (bug 1386224)

• Fix a regression the tab restoration process (bug 1388160)

• Disable the predictor prefetch (bug 1388160)

 

Firefox ESR:

https://www.mozilla....anizations/all/

 

 

[AplusWebMaster]

FYI...

Firefox 'add-on' technology is modernizing
> https://support.mozi...ogy-modernizing
"'Add-ons' allow you to add extra features and functionality to Firefox. Anyone can create an extension and make it available for people to download.
>> What's happening?
In the past, add-ons often stopped working each time a new version of Firefox was released, because developers had to update them every six weeks to keep them compatible. Since add-ons could also modify Firefox internal code directly, it was possible for bad actors to include malicious code in an innocent-looking add-on.
To address these issues, and as part of broader efforts to modernize Firefox as a whole, we’ve been transitioning to a new framework for developing Firefox extensions. You can still personalize Firefox with add-ons the same way you do now, except they won’t break in new Firefox releases.
Note: Starting in Firefox 57, which will be released in November 2017, only add-ons built with this new technology will work in Firefox. These are indicated by the “Compatible with Firefox 57+” label on addons.mozilla.org (AMO). Add-ons built with the old technology are labeled “Legacy” on the about:addons tab.
If an add-on does not have the "Compatible with 57+" label or has the -Legacy- label, the developer may be in the process of transitioning to the new technology..."
___

Fixed in Firefox v55.0:
- https://www.mozilla....efox/#firefox55

> https://www.mozilla....es/mfsa2017-18/
Critical:
CVE-2017-7798: XUL injection in the style editor in devtools
CVE-2017-7800: Use-after-free in WebSockets during disconnection
CVE-2017-7801: Use-after-free with marquee during window resizing
CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
___

FF 52.3.0 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- https://www.mozilla....anizations/all/

Release notes:
- https://www.mozilla....0/releasenotes/
August 8, 2017

Fixed:
- Various security fixes*
- Various stability and regression fixes

* https://www.mozilla....es/mfsa2017-19/
Critical:
CVE-2017-7798: XUL injection in the style editor in devtools
CVE-2017-7800: Use-after-free in WebSockets during disconnection
CVE-2017-7801: Use-after-free with marquee during window resizing
CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
 

:ninja:

Edited by AplusWebMaster, 25 August 2017 - 08:43 AM.

[AplusWebMaster]

FYI...

Firefox 55.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes: https://www.mozilla....2/releasenotes/
August 16, 2017
Fixed:
- Fix a -regression- with the popup menu (Bug 1388682)
- Fix performance -regressions- with WebExtension (Bugs 1386937 & 1389381)
- Fix an issue with new installation notification for sideload add-ons (Bug 1372448)
- Fix a potential issue when the username had some specific characters in the path (Bug 1388584)
 

:ninja:

[AplusWebMaster]

FYI...

Firefox 55.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes: https://www.mozilla....3/releasenotes/
August 25, 2017
Fixed:
- Fix file uploads to some websites, including YouTube (bug 1383518)
- Fix an issue with addons when using a path containing non-ascii characters (bug 1389160)
 

:ninja:

[AplusWebMaster]

FYI...

Firefox 56 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes: https://www.mozilla....0/releasenotes/
Sep 28, 2017

New:
 Launched Firefox Screenshots[1], a feature that lets users take, save, and share screenshots without leaving the browser
1] https://screenshots.firefox.com/#tour
 Added support for address form autofill (en-US only)
 Updated Preferences:
   Added search tool so users can find a specific setting quickly
   Reorganized preferences so users can more easily scan settings
   Rewrote descriptions so users can better understand choices and how they affect browsing
   Revised data collection choices so they align with updated Privacy Notice and data collection strategy
 Media opened in a background tab will not play until the tab is selected
 Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a  Firefox Account
Changed:
 Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
 Added hardware acceleration for AES-GCM
 Updated the Safe Browsing protocol to version 4
 Reduced update download file size by approximately 20 percent
 Improved security for verifying update downloads...
Unresolved:
 Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for
IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
> https://www.mozilla....US/firefox/all/
 Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it:
> https://support.mozi...-caused-malware

Fixed in Firefox 56: https://www.mozilla....efox/#firefox56
> https://www.mozilla....es/mfsa2017-21/
Critical:
CVE-2017-7811: Memory safety bugs fixed in Firefox 56
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 ...

- http://www.securityt....com/id/1039465
CVE Reference: CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812, CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7816, CVE-2017-7817, CVE-2017-7818, CVE-2017-7819, CVE-2017-7820, CVE-2017-7821, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824, CVE-2017-7825
Sep 29 2017
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 56.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof the address bar and other user interface components.
A remote user can conduct cross-site scripting attacks.
Solution: The vendor has issued a fix (56.0)...
___

52.4.0 ESR released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....anizations/all/

Release notes: https://www.mozilla....0/releasenotes/
Sep 28, 2017

Fixed:
 Various security fixes*
 Various stability and regression fixes
* https://www.mozilla....#firefoxesr52.4
Security vulnerabilities fixed in Firefox ESR52.4
> https://www.mozilla....es/mfsa2017-22/
Critical:
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 ...
___

- https://www.us-cert....ecurity-Updates
Sep 28, 2017
 

:ninja: :ninja: :ninja:

[AplusWebMaster]

FYI...

Fake Firefox updates...
> https://support.mozi...-firefox-update
"We have received reports from many users who were interrupted in their browsing experience and who got redirected to a -fake- page purporting to provide an "urgent" or "critical" update and prompting to download a firefox-patch.js (or .exe) file. Some people have also reported seeing -ads- prompting them to download a Firefox update. These are -scam- tactics trying to trick you into installing malware!... To our knowledge those notices are a form of "malvertising": those fake notices get triggered by code contained in -ads- that are displayed on otherwise legitimate websites you are visiting and get spread through advertisement networks. This is an example how such a fake update notice may look like - they are hosted on randomly generated and quickly changing domains:
>> https://support.cdn....7-10-c81e72.png
... -Fake-updates- have been spotted for other popular browsers. Although we cannot root out every bad actor on the web, we are continuing to improve Firefox's defenses against malware. Knowing how to recognize and report such frauds helps us keep the Internet open and safer."
 

:ninja: :ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox ESR E-O-L - on XP-Vista in June 2018
> https://blog.mozilla...s-xp-and-vista/
Oct 4, 2017 - "... Today we are announcing June 2018 as the final end of life date for Firefox support on Windows XP and Vista. As one of the few browsers that continues to support Windows XP and Vista, Firefox users on these platforms can expect security updates until that date. Users do not need to take additional action to receive those updates..."

> https://support.mozi...ws-xp-and-vista
 

:ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox 56.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....2/releasenotes/
Oct 26, 2017
Fixed:
- Disable Form Autofill completely on user request (Bug 1404531)
- Fix for video-related crashes on Windows 7 (Bug 1409141)
- Correct detection for 64-bit GSSAPI authentication (Bug 1409275)
- Fix for shutdown crash (Bug 1404105)
 

:ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox 57.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....mpaign=whatsnew
Nov 14, 2017
New:
 A completely new browsing engine, designed to take full advantage of the processing power in modern devices
 A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
 A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
 A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
 An updated product tour to orient new and returning Firefox users
 AMD VP9 hardware video decoder support for improved video playback with lower power consumption
 An expanded section in preferences to manage all website permissions
Changed:
 Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
 Firefox does -not- support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience -issues- with Firefox.
 Made the Adobe Flash plugin click-to-activate by default and allowed -only- on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap:
- https://developer.mo...Plugins/Roadmap )

Changed: Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work..."
> https://support.mozi...ogy-modernizing

Fixed: Various security fixes:
> https://www.mozilla....efox/#firefox57
Security vulnerabilities fixed in Firefox 57
> https://www.mozilla....es/mfsa2017-24/
Nov 14, 2017
Critical:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7827: Memory safety bugs fixed in Firefox 57
CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

> https://blog.mozilla...irefox-quantum/
___

Firefox 52.5.0 ESR released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....anizations/all/

Release notes: https://www.mozilla....0/releasenotes/
Nov 14, 2017
 Various security fixes
- https://www.mozilla....#firefoxesr52.5
Security vulnerabilities fixed in Firefox ESR 52.5
- https://www.mozilla....es/mfsa2017-25/
Critical:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

 Various stability and regression fixes
___

- https://www.us-cert....ecurity-Updates
Nov 14, 2017
___

- https://www.security....com/id/1039803
CVE Reference: CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7836, CVE-2017-7837, CVE-2017-7838, CVE-2017-7839, CVE-2017-7840, CVE-2017-7842
Nov 15 2017
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 57.0 ...
(More detail at the URL above.)

- https://www.security....com/id/1039805
CVE Reference: CVE-2017-7826, CVE-2017-7828, CVE-2017-7830
Nov 15 2017
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to ESR 52.5 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify data on the target system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix for CVE-2017-7826, CVE-2017-7828, and CVE-2017-7830 for Firefox ESR (52.5)...
 

:ninja: :ninja: :ninja:

Edited by AplusWebMaster, 16 November 2017 - 05:57 AM.

[AplusWebMaster]

FYI...

Firefox 57.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....mpaign=whatsnew
Nov 29, 2017
Fixed:
 Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bug 1417442)
 Fix an issue with prefs.js when the profile path has non-ascii characters (bug 1420427) ...
 Google map crashes on OSX with Intel HD Graphics 3000
Changed:
 Block injection of a client library associated with the RealPlayer Free player which is known to cause performance problems in Firefox. (Bug 1418535)

> https://www.mozilla....es/mfsa2017-27/
Fixed in: Firefox 57.0.1
___

> https://www.ixquick.com/
"Firefox's latest update (57.0.1) aggressively tries to reset your default search engine to Google! To make StartPage your default search engine again after the update, please follow the instructions... You may want to bookmark this article now..."
* https://support.star...t-search-engine
___

- https://www.us-cert....-Update-Firefox
Dec 04, 2017
 

:ninja:

Edited by AplusWebMaster, 05 December 2017 - 04:45 AM.

[AplusWebMaster]

FYI...

Firefox 57.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes:
- https://www.mozilla....mpaign=whatsnew
Dec 07, 2017
Fixed:
- Block old versions of G Data Endpoint Security for crashing Firefox on start up - Windows only (bug 1421991)
- Fix a regression with WebGL and D3D9 - Windows only

Firefox 57.0.2: https://www.mozilla....es/mfsa2017-29/
___

Firefox ESR 52.5.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....anizations/all/

Release notes: https://www.mozilla....2/releasenotes/
Dec 07, 2017
- Various security fixes: https://www.mozilla....irefoxesr52.5.2

ESR 52.5.2: https://www.mozilla....es/mfsa2017-28/
___

> https://www.us-cert....ecurity-Updates
Dec 07, 2017
 

:ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox 57.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

> https://www.mozilla....3/releasenotes/
Dec 28, 2017
Fixed: Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bug 1427111)
 

:ninja:

[AplusWebMaster]

FYI...

Firefox 57.0.4 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

> https://www.mozilla....4/releasenotes/
Jan 4, 2018
Fixed: Security fixes* to address the Meltdown and Spectre** timing attacks.
* https://www.mozilla..../#firefox57.0.4
...
> https://www.mozilla....es/mfsa2018-01/

** https://blog.mozilla...-timing-attack/
___

> https://www.us-cert....Security-Update
Jan 04, 2018

> https://www.us-cert....lerts/TA18-004A
Jan 04, 2018
 

:ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox 58.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

> https://www.mozilla....0/releasenotes/
Jan 23, 2018
New: Performance improvements, including:
        Rendering graphics for Windows users by using Off-Main-Thread Painting (OMTP)
        Loading pages faster by changing how Firefox caches and retrieves JavaScript
    Improvements to Firefox Screenshots:
        Copy and paste screenshots directly to your clipboard
        Firefox Screenshots now works in Private Browsing mode
    Added Nepali (ne-NP) locale
    In case you missed it—57 Release privacy and performance feature:
    Users can enable Tracking Protection at all times. Learn how to turn Tracking Protection on.
Fixed:
    Fonts installed in non-standard directories will no longer appear blank for Linux users
    Various security fixes*
Changed:
    User profiles created in Firefox 58 (and in future releases) are not supported in previous versions of Firefox. Users who downgrade to a previous version should create a new profile for that version. Learn about alternatives to downgrading on our support site.
    Added a warning to alert users and site owners of planned security changes to sites affected by the gradual distrust plan for the Symantec certificate authority

* https://www.mozilla....efox/#firefox58
...
- https://www.mozilla....es/mfsa2018-02/
CVE-2018-5091: Use-after-free with DTMF timers
Critical
CVE-2018-5090: Memory safety bugs fixed in Firefox 58
Critical
CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
Critical
___

Firefox ESR 52.6 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....anizations/all/

Release notes: https://www.mozilla....0/releasenotes/
Jan 23, 2018
    Various stability and regression fixes
    Various security fixes*
* https://www.mozilla....#firefoxesr52.6
...
- https://www.mozilla....es/mfsa2018-03/
CVE-2018-5091: Use-after-free with DTMF timers
Critical
CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
Critical
___

- https://www.us-cert....ecurity-Updates
Jan 23, 2018
 

:ninja: :ninja:

[AplusWebMaster]

FYI...

Firefox 58.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

> https://www.mozilla....1/releasenotes/
Jan 29, 2018
Fixed:
 Security fix: When using certain non-default security policies on Windows (for example with Windows Defender Exploit

Protection or Webroot security products), Firefox 58.0 would fail to load pages (bug 1433065).

- https://www.mozilla....es/mfsa2018-05/
Jan 29, 2018
Critical
Fixed in: Firefox 58.0.1
 This issue did not affect Firefox for Android or Firefox 52 ESR.
References: Sanitize HTML fragments created for chrome-privileged documents (CVE-2018-5124)
___

- https://www.us-cert....-Update-Firefox
Jan 30, 2018
___

- https://www.security....com/id/1040308
CVE Reference: CVE-2018-5124
Jan 30 2018
Fix Available:  Yes  Vendor Confirmed:  Yes  
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (58.0.1).
 

:ninja:

Edited by AplusWebMaster, 02 February 2018 - 07:16 AM.