Jump to content
CCleaner Community Forums
nodles

The Firefox/Mozilla Thread

Recommended Posts

ff v69.0.1

 

18. sept. 2019

 

Fixed

  • Fixed external programs launching in the background when clicking a link from inside Firefox to launch them (bug 1570845)

  • Usability improvements to the Add-ons Manager for users with screen readers (bug 1567600)

  • Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete (bug 1578633)

  • Fixed the maximum size of fonts in Reader Mode when zoomed (bug 1578454)

  • Fixed missing stacks in the Developer Tools Performance section (bug 1578354)

  • Security and stability fixes

Share this post


Link to post
Share on other sites

ff v69.0.2

 

03. oct. 2019

 

Fixed

  • Fixed a crash when editing files on Office 365 websites (bug 1579858)

  • Fixed detection of the Windows 10 Parental Controls feature being enabled (bug 1584613)

  • Fixed a Linux-only crash when changing the playback speed while watching YouTube videos (bug 1582222)

Share this post


Link to post
Share on other sites

ff v69.0.3

 

10. oct. 2019

 

Fixed

  • Fixed download errors for Windows 10 users with Parental Controls enabled (bug 1586228)

  • Fixed Yahoo mail users being prompted to download files when clicking on emails (bug 1582848)

Share this post


Link to post
Share on other sites

ff v68.2.0 esr

 

22. oct. 2019

 

Fixed

Enterprise

  • New administrative policies were added. More information and templates are available at the Policy Templates page.

 

 

Quote

 

CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber

Reporter
Sebastian Pipping
Impact
high
Description

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read.

References

#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB

Reporter
Zhanjia Song
Impact
high
Description

When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash.

References

#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security

Reporter
Mozilla developers and community
Impact
high
Description

Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code.

References

#CVE-2019-11759: Stack buffer overflow in HKDF output

Reporter
Guido Vranken
Impact
moderate
Description

An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash.

References

#CVE-2019-11760: Stack buffer overflow in WebRTC networking

Reporter
Nils
Impact
moderate
Description

A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances.

References

#CVE-2019-11761: Unintended access to a privileged JSONView object

Reporter
Cody Crews
Impact
moderate
Description

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms.

References

#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation

Reporter
Kris Maglione
Impact
moderate
Description

If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window.

References

#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique

Reporter
Gareth Heyes
Impact
moderate
Description

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters.

References

#CVE-2019-11764: Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

Reporter
Mozilla developers and community
Impact
critical
Description

Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code.

References

 

  •  

Share this post


Link to post
Share on other sites

ff v70.0

 

22. oct. 2019

 

New

  • More privacy protections from Enhanced Tracking Protection:

  • More security protections from Firefox Lockwise, our digital identity and password management tool:

    • Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers
.
    • Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
    • Complex password generation, to help you create and save strong passwords for new online accounts.
  • Improvements to core engine components, for better browsing on more sites

    • A faster Javascript Baseline Interpreter to handle the modern web’s
      large codebases and improve page load performance by as much as 8
      percent.
    • WebRender rolled out to more Firefox for Windows users, now available by default on Windows desktops with integrated Intel graphics cards and resolution of 1920x1200 or less) for improved graphics rendering.
    • Compositor improvements in Firefox for macOS that reduce power
      consumption, speed up page load by as much as 22 percent, and reduce
      resource use for video by up to 37 percent.
  • More browser features to help you get the most out of Firefox products and services

    • A stand-alone Firefox account menu for easy access to Firefox services like Monitor and Send.
    • A message panel accessed from the gift icon in the toolbar that offers a quick overview of new releases and key features.
    • When a website uses your geolocation, an indicator is shown in the
      address bar.

Fixed

Changed

  • Built-in Firefox pages now follow the system dark mode preference

  • Aliased theme properties have been removed, which may affect some themes

  • Passwords can now be imported from Chrome on macOS in addition to existing support for Windows

  • Readability is now greatly improved on under- or overlined texts, including links. The lines will now be interrupted instead of crossing over a glyph.

  • Improved privacy and security indicators

    • A new crossed-out lock icon will indicate sites delivered via
      insecure HTTP
    • The formerly green lock icon is now grey
    • The Extended Validation (EV) indicator has been moved to the identity
      popup that appears when clicking the lock icon

Developer

  • Developer Information
  • Developer Information
    For additional developer resources from Mozilla, visit our Mozilla Developer YouTube channel for new videos every week.

  • The Developer Tools Accessibility panel now includes an audit for keyboard accessibility and a color deficiency simulator for systems with WebRender enabled

  • Inactive CSS: The Inspector now grays out CSS declarations that don’t affect the selected element and shows a tooltip explaining why -- and even how to fix it.

  • The new DOM Mutation Breakpoints in Developer Tools allows developers to diagnose when scripts add, remove or update page content. This makes debugging of complex script interactions and dependencies a lot easier.

  • WebExtensions developers can now inspect browser.storage.local data using the "Addon Debugging" Firefox Developer Tools.

  • With new network resource search in Developer Tools, you can quickly find resources based on their request and response data, including headers, cookies and content.

unresolved

Share this post


Link to post
Share on other sites

ff v70.0.1

 

31. oct. 2019

 

Fixed

  • Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)

  • Update OpenH264 video plugin for macOS 10.15 users (Bug 1587543)

  • Title bar no longer shows in full screen view (Bug 1588747)

Changed

  • OpenH264 video codec version bump for macOS 10.15 users (Bug 1587543)

Share this post


Link to post
Share on other sites

ff v71.0

 

03. dec. 2019

 

New

  • Improvements to Lockwise, our integrated password manager:

    • Firefox now suggests saved logins from other subdomains of a site
    • Integrated breach alerts from Firefox Monitor are now available to users with screen readers
  • More information about Enhanced Tracking Protection in action:

    • Notifications when Firefox blocks cryptominers
    • A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
  • Picture-in-picture video comes to Firefox for Windows: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs. Learn how the feature works.

  • Native MP3 decoding on Windows, Linux, and macOS

Fixed

Changed

Enterprise

  • New kiosk mode functionality, which allows maximum screen space for customer-facing displays

Developer

  • Developer Information
  • Added support for developers, including:

    • DevTools’ Network panel can now inspect WebSocket messages and automatically formats a variety of framework formats
    • Console’s new multi-line editor mode provides an IDE-like experience that makes it convenient to iterate on longer code snippets
    • The Network panel’s new resource blocking can simulate the impact of tracking protection, security, service outages, and bad connectivity for more robust testing
    • More features and improvements can be found every release in DevTools’ “What’s New” panel in en-US
  • New videos every week on the Mozilla Developer YouTube channel

  • Improvements to the website certificate viewer, with more features and more detailed information

  • Improvements to the extensions downloads API for handling download failures

  • Extension popup windows now include the extension name instead of its moz-extension:// url when using the windows.create API

  • Extension-registered devtools panels now interact better with screen readers

unresolved

  • Some Windows users who had previously installed and uninstalled Comodo antivirus software may not be able to start Firefox. Information on how to resolve this issue is described on support.mozilla.org or in the support knowledgebase.

Share this post


Link to post
Share on other sites

ff v68.3.0 esr

 

03. dec. 2019

 

Fixed

 

 

Quote

 

Security Vulnerabilities fixed in - Firefox ESR 68.3

Announced
December 3, 2019
Impact
high
Products
Firefox ESR
Fixed in
  • Firefox ESR 68.3

#CVE-2019-17008: Use-after-free in worker destruction

Reporter
Looben Yang
Impact
high
Description

When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash.

References

#CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code

Reporter
Alexandru Michis
Impact
high
Description

When setting a thread name on Windows in WebRTC, an incorrect number of arguments could have been supplied, leading to stack corruption and a potentially exploitable crash.
Note: this issue only occurs on Windows. Other operating systems are unaffected.

References

#CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher

Reporter
Craig Disselkoen
Impact
high
Description

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash.

References

#CVE-2019-17009: Updater temporary files accessible to unprivileged processes

Reporter
Robert Strong
Impact
moderate
Description

When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service.
Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.

References

#CVE-2019-17010: Use-after-free when performing device orientation checks

Reporter
Nils
Impact
moderate
Description

Under certain conditions, when checking the Resist Fingerprinting preference during device orientation checks, a race condition could have caused a use-after-free and a potentially exploitable crash.

References

#CVE-2019-17005: Buffer overflow in plain text serializer

Reporter
Mirko Brodesser
Impact
moderate
Description

The plain text serializer used a fixed-size array for the number of

  1. elements it could process; however it was possible to overflow the static-sized array leading to memory corruption and a potentially exploitable crash.

     

    References

#CVE-2019-17011: Use-after-free when retrieving a document in antitracking

Reporter
Nils
Impact
moderate
Description

Under certain conditions, when retrieving a document from a DocShell in the antitracking code, a race condition could cause a use-after-free condition and a potentially exploitable crash.

References

#CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3

Reporter
Mozilla developers and community
Impact
high
Description

Mozilla developers Christoph Diehl, Nathan Froyd, Jason Kratzer, Christian Holler, Karl Tomlinson, Tyson Smith reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...