PDA

View Full Version : Firefox updated...



AplusWebMaster
2012-06-05, 18:32
FYI...

Firefox v13 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download: https://www.mozilla.com/firefox/all.html
June 5, 2012

What's new...
- https://www.mozilla.org/firefox/13.0/releasenotes/
Release Notes/Bug fixes ... See: Known Issues...
Complete list of changes in this release:
- https://www.mozilla.org/firefox/13.0/releasenotes/buglist.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox13
Fixed in Firefox 13
MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
MFSA 2012-39 NSS parsing errors with zero length items
MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
MFSA 2012-36 Content Security Policy inline-script bypass
MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
MFSA 2012-34 Miscellaneous memory safety hazards
___

- http://www.securitytracker.com/id/1027120
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0441 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1937 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1938 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1939 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1940 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1941 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1942 - 7.2 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1943 - 6.9
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1944 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1945 - 2.9
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1946 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1947 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3105 - 9.3 (HIGH)
Jun 6 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 13.0

- https://secunia.com/advisories/49368/
Release Date: 2012-06-06
Criticality level: Highly critical
Impact: Unknown, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote...
Solution: Upgrade to Firefox version 13.0...

:fear:

AplusWebMaster
2012-06-16, 18:11
FYI...

Firefox v13.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download: https://www.mozilla.com/firefox/all.html
June 15, 2012

What's new...
- https://www.mozilla.org/firefox/13.0.1/releasenotes/
Flash 11.3 sometimes caused a crash on quit (747683*, fixed in 13.0.1)...
* https://bugzilla.mozilla.org/show_bug.cgi?id=747683

:fear:

AplusWebMaster
2012-06-25, 21:23
FYI...

Firefox "new tab" thumbnail feature - disable

- http://h-online.com/-1625761
25 June 2012 - "... users can completely disable the new tab page feature in Firefox by changing some advanced preferences under "about:config" ..."

- http://www.h-online.com/security/news/item/Security-concerns-over-Firefox-s-new-tab-thumbnail-feature-1625761.html?view=zoom;zoom=1

- http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/
22 June 2012

:fear: :sad:

AplusWebMaster
2012-07-17, 18:44
FYI...

Firefox v14.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
July 17, 2012

What's new...
- https://www.mozilla.org/firefox/14.0.1/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/14.0.1/releasenotes/buglist.html

Security Advisories for v14.0.01:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox14
Fixed in Firefox 14
MFSA 2012-56 Code execution through javascript: URLs
MFSA 2012-55 feed: URLs with an innerURI inherit security context of page
MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption
MFSA 2012-51 X-Frame-Options header ignored when duplicated
MFSA 2012-50 Out of bounds read in QCMS
MFSA 2012-49 Same-compartment Security Wrappers can be bypassed
MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
MFSA 2012-47 Improper filtering of javascript in HTML feed-view
MFSA 2012-46 XSS through data: URLs
MFSA 2012-45 Spoofing issue with location
MFSA 2012-44 Gecko memory corruption
MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop
MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)
___

- http://www.securitytracker.com/id/1027256
CVE Reference: CVE-2012-1948, CVE-2012-1949, CVE-2012-1950, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1955, CVE-2012-1957, CVE-2012-1958, CVE-2012-1959, CVE-2012-1960, CVE-2012-1961, CVE-2012-1962, CVE-2012-1963, CVE-2012-1965, CVE-2012-1966, CVE-2012-1967
Jul 17 2012
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 14...

- https://secunia.com/advisories/49965/
Release Date: 2012-07-18
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to version 14...

:fear:

AplusWebMaster
2012-08-28, 23:14
FYI...

Firefox v15.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
August 28, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/15.0/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/15.0/releasenotes/buglist.html

Security Advisories for v15.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox15
Fixed in Firefox 15
MFSA 2012-72 Web console eval capable of executing chrome-privileged code
MFSA 2012-71 Insecure use of __android_log_print
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-69 Incorrect site SSL certificate data display
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-67 Installer will launch incorrect executable following new installation
MFSA 2012-66 HTTPMonitor extension allows for remote debugging without explicit activation
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-60 Escalation of privilege through about:newtab
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
___

- http://www.securitytracker.com/id/1027450
CVE Reference: CVE-2012-1956, CVE-2012-1970, CVE-2012-1971, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964, CVE-2012-3965, CVE-2012-3966, CVE-2012-3967, CVE-2012-3968, CVE-2012-3969, CVE-2012-3970, CVE-2012-3971, CVE-2012-3972, CVE-2012-3973, CVE-2012-3974, CVE-2012-3975, CVE-2012-3976, CVE-2012-3978, CVE-2012-3979, CVE-2012-3980
Aug 29 2012
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Version(s): prior to 15.0 ...

- https://secunia.com/advisories/50088/
Release Date: 2012-08-29
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to version 15.

:fear:

AplusWebMaster
2012-09-07, 15:20
FYI...

Firefox v15.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
September 6, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/15.0.1/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/15.0.1/releasenotes/buglist.html

- http://www.ghacks.net/2012/09/06/firefox-15-0-1-update-reader-expect-distribution-soon/
Sep 6, 2012 - "... unfortunate bug in Mozilla Firefox 15 stable that is preventing the browser’s private browsing mode from working correctly. The bug was discovered shortly after Firefox 15 was distributed to users of the stable channel of the browser, and Mozilla has been working diligently ever since to resolve the issue... It is a issue of trust for Mozilla mainly, which can easily be lost if sensitive features are not working like they should. For users the situation may have been even more precarious as it may have forced them to explain their browsing activities to third parties..."
- http://cdn.ghacks.net/wp-content/uploads/2012/09/firefox-15.0.1.jpg
___

- http://h-online.com/-1702798
7 Sep 2012

:fear: :sad:

AplusWebMaster
2012-10-10, 01:58
FYI...

Firefox v16.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
Oct 9, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/16.0/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/16.0/releasenotes/buglist.html

Security Advisories for v16.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox16
Fixed in Firefox 16
MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-80 Crash with invalid cast when using instanceof operator
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-78 Reader Mode pages have chrome privileges
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-76 Continued access to initial origin after setting document.domain
MFSA 2012-75 select element persistance allows for attacks
MFSA 2012-74 Miscellaneous memory safety hazards ...
___

- https://secunia.com/advisories/50856/
Release Date: 2012-10-10
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, System access
Where: From remote...
Solution: Upgrade to version 16...

- http://www.securitytracker.com/id/1027631
CVE Reference: CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3987, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
Oct 10 2012
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network...
Solution: The vendor has issued a fix (ESR 10.0.8; 16.0).

:fear::fear:

AplusWebMaster
2012-10-11, 21:55
FYI...

Firefox v16.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
Oct 11, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/16.0.1/releasenotes/

- https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
"Impact: The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters..."

Security Advisories for v16.0.1:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox16.0.1
Fixed in Firefox 16.0.1
MFSA 2012-89 defaultValue security checks not applied
"... regression where security wrappers are unwrapped without doing a security check in defaultValue(). This can allow for improper access access to the Location object... CVE-2012-4192, CVE-2012-4193..."
MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
"... bugs showed evidence of memory corruption under certain circumstances... some of these could be exploited to run arbitrary code... websockets crash affecting Firefox 16... CVE-2012-4190, CVE-2012-4191..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4190 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4191 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4192 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4193 - 9.3 (HIGH)
12 Oct 2012
___

- http://www.securitytracker.com/id/1027653
CVE Reference: CVE-2012-4190, CVE-2012-4191
Oct 12 2012
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (16.0.1).

- https://secunia.com/advisories/50932/
Last Update: 2012-10-12
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
CVE Reference(s): CVE-2012-4190, CVE-2012-4191, CVE-2012-4192, CVE-2012-4193
... vulnerabilities are reported in Firefox and Thunderbird versions -prior- to 16.0.1 and SeaMonkey versions -prior- to 2.13.1.
Solution: Update Firefox and Thunderbird to versions 16.0.1 and SeaMonkey to version 2.13.1.

- http://h-online.com/-1728382
12 Oct 2012

:fear::fear:

AplusWebMaster
2012-10-27, 05:30
FYI...

Firefox v16.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates then Apply Update
-or-
Download: https://www.mozilla.com/firefox/all.html
Oct 26, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/16.0.2/releasenotes/

Security Advisories for v16.0.2:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox16.0.2
MFSA 2012-90 Fixes for Location object issues
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4194 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4195 - 5.1
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4196 - 5.0
... before 16.0.2...
___

- http://www.securitytracker.com/id/1027701
CVE Reference: CVE-2012-4194, CVE-2012-4195, CVE-2012-4196
Oct 27 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Solution: The vendor has issued a fix (16.0.2, ESR 10.0.10).

- https://secunia.com/advisories/51144/
Release Date: 2012-10-29
Impact: Security Bypass, Cross Site Scripting
Where: From remote
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2012/mfsa2012-90.html

:fear:

AplusWebMaster
2012-11-20, 19:37
FYI...

Firefox v17.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Nov 20, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/17.0/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/17.0/releasenotes/buglist.html

Security Advisories for v17.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox17
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-104 CSS and HTML injection through Style Inspector
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-98 Firefox installer DLL hijacking
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11) ...
___

- http://www.securitytracker.com/id/1027791
CVE Reference: CVE-2012-4201, CVE-2012-4202, CVE-2012-4203, CVE-2012-4204, CVE-2012-4205, CVE-2012-4206, CVE-2012-4207, CVE-2012-4208, CVE-2012-4209, CVE-2012-4210, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5836, CVE-2012-5837, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843
Nov 21 2012
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (17.0)...

- https://secunia.com/advisories/51358/
Release Date: 2012-11-21
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote...
Solution: Upgrade to version 17.0...
___

- http://h-online.com/-1754171
21 Nov 2012

:fear:

AplusWebMaster
2012-12-01, 07:03
FYI...

Firefox v17.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Nov 30, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/17.0.1/releasenotes/

Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/17.0.1/releasenotes/buglist.html

Security Advisories for v17.0.1:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox17.0.1
Not available as date/time of this post

:confused:

AplusWebMaster
2013-01-08, 18:01
FYI...

Firefox v18.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Jan 8, 2013

What's new...
- https://www.mozilla.org/en-US/firefox/18.0/releasenotes/
Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/18.0/releasenotes/buglist.html

Security Advisories for v18.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox18
Fixed in Firefox 18
MFSA 2013-20 Mis-issued TURKTRUST certificates
MFSA 2013-19 Use-after-free in Javascript Proxy objects
MFSA 2013-18 Use-after-free in Vibrate
MFSA 2013-17 Use-after-free in ListenerManager
MFSA 2013-16 Use-after-free in serializeToStream
MFSA 2013-15 Privilege escalation through plugin objects
MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG
MFSA 2013-12 Buffer overflow in Javascript string concatenation
MFSA 2013-11 Address space layout leaked in XBL objects
MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy
MFSA 2013-09 Compartment mismatch with quickstubs returned values
MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
MFSA 2013-07 Crash due to handling of SSL on threads
MFSA 2013-06 Touch events are shared across iframes
MFSA 2013-05 Use-after-free when displaying table with many columns and column groups
MFSA 2013-04 URL spoofing in addressbar during page loads
MFSA 2013-03 Buffer Overflow in Canvas
MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
MFSA 2012-98 Firefox installer DLL hijacking
___

- http://www.securitytracker.com/id/1027955
CVE Reference: CVE-2013-0743, CVE-2013-0744, CVE-2013-0745, CVE-2013-0746, CVE-2013-0747, CVE-2013-0748, CVE-2013-0749, CVE-2013-0750, CVE-2013-0751, CVE-2013-0752, CVE-2013-0753, CVE-2013-0754, CVE-2013-0755, CVE-2013-0756, CVE-2013-0757, CVE-2013-0758, CVE-2013-0759, CVE-2013-0760, CVE-2013-0761, CVE-2013-0762, CVE-2013-0763, CVE-2013-0764, CVE-2013-0766, CVE-2013-0767, CVE-2013-0768, CVE-2013-0769, CVE-2013-0770, CVE-2013-0771
Jan 9 2013
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 18.0
Solution: The vendor has issued a fix (ESR 10.0.12, ESR 17.0.2, 18.0)...

- http://h-online.com/-1780088
9 Jan 2013 - "Mozilla has fixed 20 security holes with the release... 12 of these vulnerabilities have been rated critical by the organisation, the rest are classified as having high impact..."

:spider:

AplusWebMaster
2013-01-19, 19:02
FYI...

Firefox v18.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

What's new...
- https://www.mozilla.org/en-US/firefox/18.0.1/releasenotes/
Jan 18, 2013
18.0.1: Problems involving HTTP Proxy Transactions (Associated bugs)
18.0.1: Unity player crashes on Mac OS X (bug 828954)
18.0.1: Disabled HIDPI support on external monitors to avoid rendering glitches (bug 814434)
FIXED
___

- http://h-online.com/-1787497
19 Jan 2013

:fear::fear:

AplusWebMaster
2013-02-06, 09:31
FYI...

Firefox v18.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

- https://www.mozilla.org/en-US/firefox/18.0.2/releasenotes/
Feb 5, 2013 - 18.0.2: Fix JavaScript related stability issues
___

- https://wiki.mozilla.org/Releases#Upcoming_Releases
Firefox 19 - Week of 2013-02-18

:fear:

AplusWebMaster
2013-02-19, 18:35
FYI...

Firefox v19.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Feb 19, 2013

What's new...
- https://www.mozilla.org/en-US/firefox/19.0/releasenotes/
... NEW: Built-in PDF viewer*...
CHANGED, DEVELOPER, HTML5, FIXED, Known Issues...

Complete list of Bug fixes:
- https://www.mozilla.org/en-US/firefox/19.0/releasenotes/buglist.html

Security Advisories for v19.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox19
MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA 2013-27 Phishing on HTTPS connection through malicious proxy
MFSA 2013-26 Use-after-free in nsImageLoadingContent
MFSA 2013-25 Privacy leak in JavaScript Workers
MFSA 2013-24 Web content bypass of COW and SOW security wrappers
MFSA 2013-23 Wrapped WebIDL objects can be wrapped again
MFSA 2013-22 Out-of-bounds read in image rendering
MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
___

- http://www.securitytracker.com/id/1028162
CVE Reference: CVE-2013-0765, CVE-2013-0772, CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776, CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780, CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784
Feb 20 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 19.0...

- http://h-online.com/-1806437
19 Feb 2013
___

* How to disable pdf viewer?
Type about:config in the address bar and press Enter.
Press the big button to bypass the warning.
In the Filter bar, paste pdfjs.disabled
In the search results, double-click pdfjs.disabled to set its value to -true-
Restart Firefox for the changes to take effect.

- https://github.com/mozilla/pdf.js/wiki/Additional-Learning-Resources

:fear:

AplusWebMaster
2013-03-08, 14:35
FYI...

Firefox v19.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Mar 7, 2013

Security Advisories for v19.0.2:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox19.0.2
Fixed in Firefox 19.0.2
MFSA 2013-29 Use-after-free in HTML Editor CVE-2013-0787

- https://www.mozilla.org/en-US/firefox/19.0.2/releasenotes/

- https://secunia.com/advisories/52538/
Release Date: 2013-03-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to a fixed version.
Original Advisory: MFSA 2013-29:
- http://www.mozilla.org/security/announce/2013/mfsa2013-29.html

:fear:

AplusWebMaster
2013-04-02, 18:54
FYI...

Firefox v20.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
April 2, 2013

Security Advisories for v20.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox20
Fixed in Firefox 20
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39 Memory corruption while rendering grayscale PNG images
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37 Bypass of tab-modal dialog origin disclosure
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-33 World read and write access to app_tmp directory on Android
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

- https://www.mozilla.org/en-US/firefox/20.0/releasenotes/
FIXED 20.0: Security fixes ...
NEW Per-window Private Browsing...
NEW New download experience...
NEW Ability to close hanging plugins, without the browser hanging
___

- http://h-online.com/-1833854
2 April 2013

- http://www.theinquirer.net/inquirer/news/2258741/mozilla-releases-firefox-20-with-per-window-private-browsing
Apr 03 2013

- http://www.securitytracker.com/id/1028379
CVE Reference: CVE-2013-0788, CVE-2013-0789, CVE-2013-0790, CVE-2013-0791, CVE-2013-0792, CVE-2013-0793, CVE-2013-0794, CVE-2013-0795, CVE-2013-0796, CVE-2013-0797, CVE-2013-0798, CVE-2013-0799, CVE-2013-0800
Apr 3 2013
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 20.0 ...

:fear:

AplusWebMaster
2013-04-12, 16:25
FYI...

Firefox v20.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
April 11, 2013

- https://www.mozilla.org/en-US/firefox/20.0.1/releasenotes/
FIXED: 20.0.1 - Windows-only update to handle issues around handling UNC paths...

- https://en.wikipedia.org/wiki/Path_%28computing%29#Uniform_Naming_Convention

:fear:

AplusWebMaster
2013-05-14, 18:57
FYI...

Firefox v21.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
May 14, 2013

Security Advisories for v21.0:
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox21
Fixed in Firefox 21
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Release notes
- https://www.mozilla.org/en-US/firefox/21.0/releasenotes/
NEW The Social API now supports multiple providers
NEW Enhanced three-state UI for Do Not Track (DNT)
NEW Firefox will suggest how to improve your application startup time if needed
NEW Preliminary implementation of Firefox Health Report
CHANGED Ability to restore removed thumbnails on New Tab Page
CHANGED CSS -moz-user-select:none selection changed to improve compatibility with -webkit-user-select:none (bug 816298)
CHANGED Graphics related performance improvements (bug 809821)
CHANGED Removed E4X support from Spidermonkey
DEVELOPER Implemented Remote Profiling
DEVELOPER Integrated add-on SDK loader and API libraries into Firefox
HTML5 Added support for <main> element
HTML5 Implemented scoped stylesheets
FIXED Some function keys may not work when pressed (833719)
FIXED Browsing and Download history clearing needs unification to avoid confusion on clearing download history (847627)
FIXED 21.0: Security fixes can be found here* ...

- https://secunia.com/advisories/53400/
Release Date: 2013-05-15
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote ...
Solution: Update to version 21.0.

- http://www.securitytracker.com/id/1028555
CVE Reference: CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1671, CVE-2013-1672, CVE-2013-1673, CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681
May 14 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.6 and 21.0...

:fear:

AplusWebMaster
2013-06-25, 18:37
FYI...

Firefox v22.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
June 25, 2013

Security Advisories for v22.0:
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox22
Fixed in Firefox 22
MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-52 Arbitrary code execution within Profiler
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Release notes
- https://www.mozilla.org/en-US/firefox/22.0/releasenotes/

... complete list of changes in this release... 510 bugs found.
___

- https://secunia.com/advisories/53970/
Release Date: 2013-06-26
Criticality level: Highly Critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
... vulnerabilities are reported in versions prior to 22.0.
Solution: Upgrade to version 22.0.

- http://www.securitytracker.com/id/1028702
CVE Reference: CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1688, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1695, CVE-2013-1696, CVE-2013-1697, CVE-2013-1698, CVE-2013-1699, CVE-2013-1700
Jun 26 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to ESR 17.0.7; prior to 22.0 ...

:fear:

tashi
2013-08-07, 04:31
Firefox v 23.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

http://www.mozilla.org/en-US/firefox/23.0/releasenotes/

Security Advisories
Fixed in Firefox 23

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-74 Firefox full and stub installer DLL hijacking
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

AplusWebMaster
2013-08-17, 14:57
FYI...

Firefox v23.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

- https://www.mozilla.org/en-US/firefox/23.0.1/releasenotes/
August 16, 2013
FIXED 23.0.1 - Rendering glitches on H.264 video only in FF23 on Vista (901944)
FIXED 23.0.1 - Spellchecking broken with non-ASCII characters in profile path (902532)
FIXED 23.0.1 - Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls (901527) ...

:fear:

AplusWebMaster
2013-09-17, 19:53
FYI...

Firefox v24.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Sep 17, 2013

Security Advisories for v24.0:
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox24
Fixed in Firefox 24
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

Release notes
- https://www.mozilla.org/en-US/firefox/24.0/releasenotes/

... complete list of changes in this release... 543 bugs found.
___

- http://www.securitytracker.com/id/1029042
CVE Reference: CVE-2013-1718, CVE-2013-1719, CVE-2013-1720, CVE-2013-1721, CVE-2013-1722, CVE-2013-1723, CVE-2013-1724, CVE-2013-1725, CVE-2013-1726, CVE-2013-1727, CVE-2013-1728, CVE-2013-1729, CVE-2013-1730, CVE-2013-1731, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737, CVE-2013-1738
Sep 17 2013
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.0; prior to ESR 17.0.9 ...

:fear::fear:

AplusWebMaster
2013-10-29, 16:15
FYI...

Firefox v25.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Oct 29, 2013

Security Advisories for v25.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox25
Fixed in Firefox 25
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Release notes
- https://www.mozilla.org/en-US/firefox/25.0/releasenotes/

... complete list of changes in this release... 565 bugs found.
___

- https://secunia.com/advisories/55520/
Release Date: 2013-10-30
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, System access
... vulnerabilities are reported in versions prior to 25.
Solution: Upgrade to version 25.

- http://www.securitytracker.com/id/1029270
CVE Reference: CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5598, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604
Oct 30 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 25.0 ...
Solution: The vendor has issued a fix (25.0)...

:fear::fear:

AplusWebMaster
2013-11-16, 13:56
FYI...

Firefox v25.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html
Nov 15, 2013

Release notes
- https://www.mozilla.org/en-US/firefox/25.0.1/releasenotes/
25.0.1: New security fixes... (list not available as of date/time of this post)
25.0.1: Pages sometimes wouldn't load without first moving the cursor

:fear:

AplusWebMaster
2013-11-19, 14:47
FYI...

Firefox v25.0.1 ...

From an admin. account, start Firefox, then >Help >About >Check for Updates ...

- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox25.0.1
Fixed in Firefox 25.0.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
- https://www.mozilla.org/security/announce/2013/mfsa2013-103.html
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 - 2.6
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5605 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606 - 6.4
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5607 - 7.5 (HIGH)

- https://secunia.com/advisories/55732/
Release Date: 2013-11-19
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, System access
Solution Status: Vendor Patch...
For more information: https://secunia.com/SA55557/
Solution: Update to a fixed version.
Original Advisory: Mozilla:
https://www.mozilla.org/security/announce/2013/mfsa2013-103.html

:fear::fear:

AplusWebMaster
2013-12-10, 17:05
FYI...

Firefox v26.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for v26.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox26
Fixed in Firefox 26
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

Release notes
- https://www.mozilla.org/en-US/firefox/26.0/releasenotes/
Dec 10, 2013

... complete list of changes in this release... 676 bugs found.
___

- https://secunia.com/advisories/56005/
Release Date: 2013-12-10
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
CVE Reference(s): CVE-2013-5609, CVE-2013-5610, CVE-2013-5611, CVE-2013-5612, CVE-2013-5613, CVE-2013-5614, CVE-2013-5615, CVE-2013-5616, CVE-2013-5618, CVE-2013-5619, CVE-2013-6629, CVE-2013-6630, CVE-2013-6671, CVE-2013-6672, CVE-2013-6673
... security issue and the vulnerabilities are reported in versions prior to 26.
Solution: Upgrade to version 26.

:fear:

AplusWebMaster
2014-02-04, 16:55
FYI...

Firefox v27.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for v27.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox27
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-10 Firefox default start page UI content invokable by script
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-06 Profile path leaks to Android system log
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

Release notes
- https://www.mozilla.org/en-US/firefox/27.0/releasenotes/
Feb 4, 2014

... complete list of changes in this release... 659 bugs found.
___

- http://www.securitytracker.com/id/1029717
CVE Reference: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1480, CVE-2014-1481, CVE-2014-1482, CVE-2014-1483, CVE-2014-1485, CVE-2014-1486, CVE-2014-1487, CVE-2014-1488, CVE-2014-1489, CVE-2014-1490, CVE-2014-1491
Feb 5 2014
Impact: Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 27.0 ...
Solution: The vendor has issued a fix (27.0)...

- https://secunia.com/advisories/56787/
Release Date: 2014-02-05
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, System access
For more information: https://secunia.com/SA56767/
Solution: Upgrade to version 27.

:fear:

AplusWebMaster
2014-02-15, 15:04
FYI...

Firefox v27.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes:
- https://www.mozilla.org/en-US/firefox/27.0.1/releasenotes/
FIXED: 27.0.1 - Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval
FIXED: 27.0.1 - JS math correctness issue (bug 941381)

:fear:

AplusWebMaster
2014-03-18, 15:37
FYI...

Firefox 28.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 28.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox28
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

Release notes
- https://www.mozilla.org/en-US/firefox/28.0/releasenotes/
Mar 18, 2014

... complete list of changes in this release... 865 bugs found.
___

- http://www.securitytracker.com/id/1029928
CVE Reference: CVE-2014-1493, CVE-2014-1494, CVE-2014-1496, CVE-2014-1497, CVE-2014-1498, CVE-2014-1499, CVE-2014-1500, CVE-2014-1501, CVE-2014-1502, CVE-2014-1504, CVE-2014-1505, CVE-2014-1506, CVE-2014-1507, CVE-2014-1508, CVE-2014-1509, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514
Mar 19 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 28.0 ...
Solution: The vendor has issued a fix (28.0)...
___

- https://www.computerworld.com/s/article/9247062/Mozilla_patches_20_Firefox_flaws_plugs_Pwn2Own_holes
Mar 19, 2014 - "... Firefox 28 was primarily a security update, patching the five Pwn2Own flaws and 15 others..."
___

Firefox 28.0.1 for Android
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox28.0.1

- https://www.mozilla.org/security/announce/2014/mfsa2014-33.html

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1515
"... Firefox before 28.0.1 on Android processes a file: URL by copying a local file onto the SD card, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application..."

:fear:

AplusWebMaster
2014-04-30, 03:07
FYI...

Firefox 29.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 29.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox29
Fixed in Firefox 29
MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-40 Firefox for Android addressbar suppression
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

Release notes
- https://www.mozilla.org/en-US/firefox/29.0/releasenotes/
Apr 29, 2014

... complete list of changes in this release... 3892 bugs found.
___

- https://addons.mozilla.org/en-US/firefox/addon/status-4-evar/versions/
April 27, 2014
___

- http://www.securitytracker.com/id/1030163
CVE Reference: CVE-2014-1518, CVE-2014-1519, CVE-2014-1520, CVE-2014-1522, CVE-2014-1523, CVE-2014-1524, CVE-2014-1525, CVE-2014-1526, CVE-2014-1527, CVE-2014-1528, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531, CVE-2014-1532
Apr 30 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 29.0 ...
Solution: The vendor has issued a fix (29.0)...

:fear:

AplusWebMaster
2014-05-10, 03:31
FYI...

Firefox 29.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/29.0.1/releasenotes/
May 9, 2014

:fear:

AplusWebMaster
2014-06-10, 18:19
FYI...

Firefox 30.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 30.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox30
Fixed in Firefox 30
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Release notes
- https://www.mozilla.org/en-US/firefox/30.0/releasenotes/
June 10, 2014

... complete list of changes in this release... 3622 bugs found.
___

- http://www.securitytracker.com/id/1030388
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1539, CVE-2014-1540, CVE-2014-1541, CVE-2014-1542, CVE-2014-1543
Jun 11 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 30.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can conduct clickjacking attacks.
Solution: The vendor has issued a fix (30.0)...

:fear::fear:

AplusWebMaster
2014-07-22, 17:27
FYI...

Firefox 31.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 31.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox31
Fixed in Firefox 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Release notes
- https://www.mozilla.org/en-US/firefox/31.0/releasenotes/
July 22, 2014

... complete list of changes in this release... 3025 bugs found.
___

- http://www.securitytracker.com/id/1030619
CVE Reference: CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1551, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560, CVE-2014-1561
Jul 22 2014
Impact: Denial of service via network, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.0 ...

:fear:

AplusWebMaster
2014-09-02, 18:12
FYI...

Firefox 32.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 32.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32
Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8 )

Release notes
- https://www.mozilla.org/en-US/firefox/32.0/releasenotes/
Sep 2, 2014

... complete list of changes in this release... 3198 bugs found.
___

- http://www.securitytracker.com/id/1030793
CVE Reference: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567
Sep 3 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 31.1, 32.0 ...

:fear:

AplusWebMaster
2014-09-13, 03:39
FYI...

Firefox 32.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.1/releasenotes/
Sep 12, 2014
Fixed: 32.0.1 - Stability issues for computers with multiple graphics cards
Fixed: 32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

Mobile:
- https://www.mozilla.org/en-US/mobile/32.0.1/releasenotes/
Fixed: 32.0.1 - Link tap selection is offset on some Android devices
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

:fear:

AplusWebMaster
2014-09-19, 02:27
FYI...

Firefox 32.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.2/releasenotes/
Sep 18, 2014
Fixed: 32.0.2 - Corrupt installations cause Firefox to crash on update

:fear:

AplusWebMaster
2014-09-25, 02:15
FYI...

Firefox 32.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.3/releasenotes/
September 24, 2014
Fixed: 32.0.3: New security fixes can be found here*
* https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS
> https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

> https://www.us-cert.gov/ncas/current-activity/2014/09/24/Mozilla-Network-Security-Services-NSS-Library-Vulnerability
Sep 24, 2014

- http://www.kb.cert.org/vuls/id/772676
24 Sep 2014 - "... This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate..."

- http://www.securitytracker.com/id/1030901
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 - 7.5 (HIGH)
Sep 24 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions ESR 24.8.1, ESR 31.1.1, 32.0.3 ...

:fear::fear:

AplusWebMaster
2014-10-14, 18:31
FYI...

Firefox 33.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 33.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox33
Fixed in Firefox 33
MFSA 2014-82 Accessing cross-origin objects via the Alarms API
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-80 Key pinning bypasses
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-78 Further uninitialized memory use during GIF
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Release notes
- https://www.mozilla.org/en-US/firefox/33.0/releasenotes/
Oct 14, 2014

... complete list of changes in this release... 3422 bugs found.
___

- http://www.securitytracker.com/id/1031028
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1583, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586
Oct 14 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 33.0 ...
___

Mozilla to disable encryption feature in next Firefox browser due to 'Poodle' bug
- http://www.reuters.com/article/2014/10/15/cybersecurity-encryption-mozilla-idUSL3N0SA04O20141015
Oct 14, 2014 - "Mozilla said it will -disable- Secure Sockets Layer (SSL) encryption in the latest version of its Firefox web browser that will be released on Nov. 25 after a security bug called "Poodle" was discovered in a web encryption technology. "By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user's private account data on a website," Mozilla said in its blog*. SSL 3.0 will be disabled by default in Firefox 34, Mozilla said. The code to disable the security protocol will be available shortly via Mozilla Nightly, an in-development version of Mozilla's browser. Mozilla also said that Firefox 35 will support a generic Transport Layer Security (TLS) downgrade protection mechanism called SCSV (Signaling Cipher Suite Value), as a precautionary measure..."
* https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Oct 14, 2014 - "Summary: SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS)..."

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/library/security/3009008.aspx
Oct 14, 2014

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
Last revised: 10/14/2014

:fear:

AplusWebMaster
2014-10-27, 03:33
FYI...

Firefox 33.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.0.1/releasenotes/
Oct 24, 2014
Fixed: 33.0.1: Firefox displays a black screen at start-up with certain graphics drivers

:fear:

AplusWebMaster
2014-10-29, 03:41
FYI...

Firefox 33.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.0.2/releasenotes/
Oct 28, 2014
Fixed: 33.0.2: Fix a startup crash with some combination of hardware and drivers

:fear:

AplusWebMaster
2014-11-07, 14:35
FYI...

Firefox 33.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.0.3/releasenotes/
Nov 6, 2014
Fixed:
33.0.3: Blacklisted graphics drivers that were causing black screens with OMTC enabled...
33.0.3: Fix two startup crashes with some combination of hardware and drivers

:spider:

AplusWebMaster
2014-11-10, 18:15
FYI...

Firefox 33.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.1/releasenotes/
Nov 10, 2014
New:
- Forget Button added
- Enhanced Tiles
- Privacy tour introduced
- Adding DuckDuckGo as a search option

:fear:

AplusWebMaster
2014-11-15, 16:57
FYI...

Firefox 33.1.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/33.1.1/releasenotes/
Nov 14, 2014
Fixed: 33.1.1 - Fixed startup crash

:fear:

AplusWebMaster
2014-12-01, 19:45
FYI...

Firefox 34.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 34.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox34
Fixed in Firefox 34
2014-91 Privileged access to security wrapped protected objects
2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-86 CSP leaks redirect data via violation reports
2014-85 XMLHttpRequest crashes with some input streams
2014-84 XBL bindings accessible via improper CSS declarations
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

Release notes
- https://www.mozilla.org/en-US/firefox/34.0/releasenotes/
Dec 1, 2014

... complete list of changes in this release... 3749 bugs found.
___

- http://www.securitytracker.com/id/1031286
CVE Reference: CVE-2014-1587, CVE-2014-1588, CVE-2014-1589, CVE-2014-1590, CVE-2014-1591, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-1595, CVE-2014-8631, CVE-2014-8632
Dec 3 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 34.0 ...
Solution: The vendor has issued a fix (34.0).

:fear:

AplusWebMaster
2015-01-13, 18:42
FYI...

Firefox 35.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 35.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox35
Fixed in Firefox 35
2015-09 XrayWrapper bypass through DOM objects
2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
2015-07 Gecko Media Plugin sandbox escape
2015-06 Read-after-free in WebRTC
2015-05 Read of uninitialized memory in Web Audio
2015-04 Cookie injection through Proxy Authenticate responses
2015-03 sendBeacon requests lack an Origin header
2015-02 Uninitialized memory use during bitmap rendering
2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

Release notes
- https://www.mozilla.org/en-US/firefox/35.0/releasenotes/
Jan 13, 2015

... complete list of changes in this release... 3589 bugs found.
___

- http://www.securitytracker.com/id/1031533
CVE Reference: CVE-2014-8634, CVE-2014-8635, CVE-2014-8636, CVE-2014-8637, CVE-2014-8638, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8643
Jan 14 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 35.0 ...
Solution: The vendor has issued a fix (35.0).

:fear:

AplusWebMaster
2015-01-27, 15:40
FYI...

Firefox 35.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/35.0.1/releasenotes/
Jan 26, 2015

... complete list of changes in this release 3610 bugs found.

:fear:

AplusWebMaster
2015-02-24, 16:57
FYI...

Firefox 36.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 36.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox36
Fixed in Firefox 36
2015-27 Caja Compiler JavaScript sandbox bypass
2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
2015-25 Local files or privileged URLs in pages can be opened into new tabs
2015-24 Reading of local files through manipulation of form autocomplete
2015-23 Use-after-free in Developer Console date with OpenType Sanitiser
2015-22 Crash using DrawTarget in Cairo graphics library
2015-21 Buffer underflow during MP3 playback
2015-20 Buffer overflow during CSS restyling
2015-19 Out-of-bounds read and write while rendering SVG content
2015-18 Double-free when using non-default memory allocators with a zero-length XHR
2015-17 Buffer overflow in libstagefright during MP4 video playback
2015-16 Use-after-free in IndexedDB
2015-15 TLS TURN and STUN connections silently fail to simple TCP connections
2015-14 Malicious WebGL content crash when writing strings
2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Release notes
- https://www.mozilla.org/en-US/firefox/36.0/releasenotes/
Feb 24, 2015

... complete list of changes in this release... 3608 bugs found.
___

- http://www.securitytracker.com/id/1031791
CVE Reference: CVE-2015-0819, CVE-2015-0821, CVE-2015-0822, CVE-2015-0823, CVE-2015-0824, CVE-2015-0825, CVE-2015-0826, CVE-2015-0827, CVE-2015-0828, CVE-2015-0829, CVE-2015-0830, CVE-2015-0831, CVE-2015-0833, CVE-2015-0834, CVE-2015-0835, CVE-2015-0836
Feb 24 2015
Version: prior to 36.0...

:fear:

AplusWebMaster
2015-03-21, 02:42
FYI...

Firefox 36.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/36.0.3/releasenotes/
What’s New:
Fixed: 36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest*

* https://www.mozilla.org/security/known-vulnerabilities/firefox/#firefox36.0.3
Fixed in Firefox 36.0.3
2015-29 Code execution through incorrect JavaScript bounds checking elimination
2015-28 Privilege escalation through SVG navigation
___

- https://www.us-cert.gov/ncas/current-activity/2015/03/20/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and-SeaMonkey
March 20, 2015 - "... Available updates include:
• Firefox 36.0.3
• Firefox ESR 31.5.2
• SeaMonkey 2.33.1 ..."
___

- http://www.securitytracker.com/id/1031958
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
Mar 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 36.0.3 ...

All four major browsers take a stomping at Pwn2Own...
- http://arstechnica.com/security/2015/03/all-four-major-browsers-take-a-stomping-at-pwn2own-hacking-competition/
Mar 20, 2015 - "The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader..."

:fear::fear:

AplusWebMaster
2015-03-21, 22:23
FYI...

Firefox 36.0.4 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox36.0.4
Fixed in Firefox 36.0.4
2015-28 Privilege escalation through SVG navigation

... HP Zero Day Initiative's Pwn2Own contest... AGAIN.
___

- http://www.securitytracker.com/id/1031959
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0818
Mar 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 36.0.4...

- https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
Impact: Critical

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0817 - 6.8
Last revised: 03/27/2015
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0818 - 7.5 (HIGH)
Last revised: 03/27/2015

:fear:

AplusWebMaster
2015-03-31, 18:50
FYI...

Firefox 37.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/37.0/releasenotes/
March 31, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox37
Fixed in Firefox 37.0
2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
2015-41 PRNG weakness allows for DNS poisoning on Android
2015-40 Same-origin bypass through anchor navigation
2015-39 Use-after-free due to type confusion flaws
2015-38 Memory corruption crashes in Off Main Thread Compositing
2015-37 CORS requests should not follow 30x redirections after preflight
2015-36 Incorrect memory management for simple-type arrays in WebRTC
2015-35 Cursor clickjacking with flash and images
2015-34 Out of bounds read in QCMS library
2015-33 resource:// documents can load privileged pages
2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

... complete list of changes in this release... 2817 bugs found.
___

- http://www.securitytracker.com/id/1031996
CVE Reference: CVE-2015-0800, CVE-2015-0801, CVE-2015-0802, CVE-2015-0803, CVE-2015-0804, CVE-2015-0805, CVE-2015-0806, CVE-2015-0807, CVE-2015-0808, CVE-2015-0810, CVE-2015-0811, CVE-2015-0812, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816
Apr 1 2015
Original Entry Date: Mar 31 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 37.0 ...

:fear:

AplusWebMaster
2015-04-04, 11:25
FYI...

Firefox 37.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/37.0.1/releasenotes/
April 3, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox37.0.1
Fixed in Firefox 37.0.1
2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header*
2015-43 Loading privileged content through Reader mode

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0799
___

- https://www.us-cert.gov/ncas/current-activity/2015/04/06/Mozilla-Releases-Security-Update-Firefox
April 06, 2015 - "... Mozilla Foundation has released Firefox 37.0.1 to address two vulnerabilities, one of which may allow a remote attacker to conduct man-in-the-middle attacks. Users and administrators are encouraged to review the security advisories for Firefox and apply the necessary updates."

:fear:

AplusWebMaster
2015-04-22, 11:52
FYI...

Firefox 37.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/37.0.2/releasenotes/
April 20, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox37.0.2
Fixed in Firefox 37.0.2
2015-45 Memory corruption during failed plugin initialization
IMPACT: High
___

- http://www.securitytracker.com/id/1032171
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2706 - 6.8
Apr 21 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 37.0.2...

- https://www.us-cert.gov/ncas/current-activity/2015/04/21/Mozilla-Releases-Security-Update-Firefox
Apr 21 2015

:fear:

AplusWebMaster
2015-05-12, 18:27
FYI...

Firefox 38 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
May 12, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox38
Fixed in Firefox 38
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-56 Untrusted site hosting trusted page can intercept webchannel responses
2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
2015-54 Buffer overflow when parsing compressed XML
2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
2015-52 Sensitive URL encoded information written to Android logcat
2015-51 Use-after-free during text processing with vertical text enabled
2015-50 Out-of-bounds read and write in asm.js validation
2015-49 Referrer policy ignored when links opened by middle-click and context menu
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

... complete list of changes in this release... 3660 bugs found.
___

- http://www.securitytracker.com/id/1032301
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2714, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718, CVE-2015-2720
May 13 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 38.0 ...

:fear:

AplusWebMaster
2015-05-15, 04:26
FYI...

Firefox 38.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/38.0.1/releasenotes/
May 14, 2015
Fixed: Systems with first generation NVidia Optimus graphics cards may crash on start-up
Fixed: Users who import cookies from Google Chrome can end up with broken websites
Fixed: WebRTC H264 video streams from CiscoSpark native clients are not decoded correctly.
(Fixed in Firefox ESR 38.0.1; was already fixed in Firefox 38.0)
Fixed: Large animated images may fail to play and may stop other images from loading

:fear:

AplusWebMaster
2015-06-03, 06:47
FYI...

Firefox 38.0.5 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/38.0.5/releasenotes/
June 2, 2015
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7
___

> https://wiki.mozilla.org/RapidRelease/Calendar#Future_branch_dates
release date: release
2015-06-30 - Firefox 39

V39.0 bugs...
- https://bugzilla.mozilla.org/show_bug.cgi?id=1151506
Status: REOPENED
Keywords: crash
Modified: 2015-07-01
Importance: critical ...
status-firefox39: fixed
- https://bugzilla.mozilla.org/showdependencygraph.cgi?id=1151506
___

Firefox Blocklist: https://addons.mozilla.org/en-US/firefox/blocked/

:fear:

AplusWebMaster
2015-07-03, 05:31
FYI...

Firefox 39.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/39.0/releasenotes/

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39
Fixed in Firefox 39
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-69 Privilege escalation in PDF.js
2015-68 OS X crash reports may contain entered key press information
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-65 Use-after-free in workers while using XMLHttpRequest
2015-64 ECDSA signature validation fails to handle some signatures correctly
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
2015-61 Type confusion in Indexed Database Manager
2015-60 Local files or privileged URLs in pages can be opened into new tabs
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

... complete list of changes in this release 3279 bugs found.
___

- http://www.securitytracker.com/id/1032783
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2742, CVE-2015-2743, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 39.0 ...

:fear:

AplusWebMaster
2015-08-07, 14:55
FYI...

Firefox 39.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/39.0.3/releasenotes/

> https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
Aug 6, 2015 - "... violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer. Mozilla has received reports that an exploit based on this vulnerability has been found in the wild."
Critical
Products: Firefox, Firefox ESR

Fixed in Firefox 39.0.3
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39.0.3
Fixed in Firefox ESR 38.1.1
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.1.1
___

- http://www.securitytracker.com/id/1033216
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4495
"... as exploited in the wild in August 2015."
Aug 7 2015
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 39.0.3...
Solution: The vendor has issued a fix (39.0.3, ESR 38.1.1).

- https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
Aug 6, 2015 - "... an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine... Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context... The exploit leaves no trace it has been run on the local machine..."

:fear:

AplusWebMaster
2015-08-11, 17:48
FYI...

Firefox 40 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/40.0/releasenotes/
What’s New:
- Support for Windows 10
- Added protection against unwanted software downloads
(More at the URL above.)

Fixed in Firefox 40.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox40
2015-92 Use-after-free in XMLHttpRequest with shared workers
2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
2015-90 Vulnerabilities found through code inspection
2015-89 Buffer overflows on Libvpx when decoding WebM video
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-87 Crash when using shared memory in JavaScript
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-83 Overflow issues in libstagefright
2015-82 Redefinition of non-configurable JavaScript object properties
2015-81 Use-after-free in MediaStream playback
2015-80 Out-of-bounds read with malformed MP3 file
2015-79 Miscellaneous memory safety hazards (rv:40.0/rv:38.2)

... complete list of changes in this release - 3453 bugs found.

Fixed in Firefox ESR 38.2
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.2
___

Expanded Malware Protection in Firefox
- https://blog.mozilla.org/security/2015/08/11/expanded-malware-protection-in-firefox/
Aug 11, 2015
___

- http://www.securitytracker.com/id/1033247
CVE Reference: CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482, CVE-2015-4483, CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4491, CVE-2015-4492, CVE-2015-4493
Aug 11 2015
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 40.0...
Solution: The vendor has issued a fix (40.0, ESR 38.2)...

:fear::fear:

AplusWebMaster
2015-08-28, 03:12
FYI...

Firefox 40.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/40.0.3/releasenotes/
Aug 27, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox40.0.3
Fixed in Firefox 40.0.3
2015-95 Add-on notification bypass through data URLs
2015-94 Use-after-free when resizing canvas element during restyling

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.2.1
___

- http://www.securitytracker.com/id/1033396
CVE Reference: CVE-2015-4498
Aug 27 2015
Impact: Modification of system information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 40.0.3 ...
Solution: The vendor has issued a fix (40.0.3, ESR 38.2.1).

- http://www.securitytracker.com/id/1033397
CVE Reference: CVE-2015-4497
Aug 27 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 40.0.3 ...
Solution: The vendor has issued a fix (40.0.3, ESR 38.2.1).

:fear:

AplusWebMaster
2015-09-22, 20:18
FYI...

Firefox 41.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/41.0/releasenotes/
Sep 22, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41
Fixed in Firefox 41
2015-114 Information disclosure via the High Resolution Time API
2015-113 Memory safety errors in libGLES in the ANGLE graphics library
2015-112 Vulnerabilities found through code inspection
2015-111 Errors in the handling of CORS preflight request headers
2015-110 Dragging and dropping images exposes final URL after redirects
2015-109 JavaScript immutable property enforcement can be bypassed
2015-108 Scripted proxies can access inner window
2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
2015-106 Use-after-free while manipulating HTML media content
2015-105 Buffer overflow while decoding WebM video
2015-104 Use-after-free with shared workers and IndexedDB
2015-103 URL spoofing in reader mode
2015-102 Crash when using debugger with SavedStacks in JavaScript
2015-101 Buffer overflow in libvpx while parsing vp9 format video
2015-100 Arbitrary file manipulation by local user through Mozilla updater
2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
2015-97 Memory leak in mozTCPSocket to servers
2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

... complete list of changes in this release... 3502 bugs found.

Fixed in Firefox ESR 38.3
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.3
___

- http://www.securitytracker.com/id/1033640
CVE Reference: CVE-2015-4476, CVE-2015-4500, CVE-2015-4501, CVE-2015-4502, CVE-2015-4503, CVE-2015-4504, CVE-2015-4505, CVE-2015-4506, CVE-2015-4507, CVE-2015-4508, CVE-2015-4509, CVE-2015-4510, CVE-2015-4512, CVE-2015-4516, CVE-2015-4517, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180
Sep 22 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 41.0...
Solution: The vendor has issued a fix (41.0, ESR 38.3).

:fear:

AplusWebMaster
2015-10-17, 15:10
FYI...

Firefox 41.0.2 released

Start Firefox, then >Help >About >Apply Update ...

Release notes
- https://www.mozilla.org/en-US/firefox/41.0.2/releasenotes/
Oct 15, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41.0.2
2015-115 Cross-origin restriction bypass using Fetch
___

- http://www.securitytracker.com/id/1033820
CVE Reference: CVE-2015-7184
Oct 16 2015
Impact: Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 41.0.2 ...
Impact: A remote user can obtain potentially sensitive information from other origins on the target system.
Solution: The vendor has issued a fix (41.0.2)...

:fear:

AplusWebMaster
2015-11-03, 18:50
FYI...

Firefox 42.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/42.0/releasenotes/
Nov 3, 2015

... complete list of changes in this release... 3230 bugs found.

Fixed in Firefox 42.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42
MFSA 2015-133 NSS and NSPR memory corruption issues
MFSA 2015-132 Mixed content WebSocket policy bypass through workers
MFSA 2015-131 Vulnerabilities found through code inspection
MFSA 2015-130 JavaScript garbage collection crash with Java applet
MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped
MFSA 2015-128 Memory corruption in libjar through zip files
MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X
MFSA 2015-125 XSS attack through intents on Firefox for Android
MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files
MFSA 2015-123 Buffer overflow during image interactions in canvas
MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
MFSA 2015-121 disabling scripts in Add-on SDK panels has no effect
MFSA 2015-120 Reading sensitive profile files through local HTML file on Android
MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode
MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist
MFSA 2015-117 Information disclosure through NTLM authentication
MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

Fixed in Firefox ESR 38.4
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.4
___

- http://www.securitytracker.com/id/1034069
CVE Reference: CVE-2015-4513, CVE-2015-4514, CVE-2015-4515, CVE-2015-4518, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7185, CVE-2015-7186, CVE-2015-7187, CVE-2015-7188, CVE-2015-7189, CVE-2015-7190, CVE-2015-7191, CVE-2015-7192, CVE-2015-7193, CVE-2015-7194, CVE-2015-7195, CVE-2015-7196, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 5 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 42.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (ESR 38.4; 42.0).

:fear:

AplusWebMaster
2015-12-15, 21:14
FYI...

Firefox 43.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/43.0/releasenotes/
Dec 15, 2015

... complete list of changes in this release... 3067 bugs found.

Fixed in Firefox 43.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43
2015-149 Cross-site reading attack through data and view-source URIs
2015-148 Privilege escalation vulnerabilities in WebExtension APIs
2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-144 Buffer overflows found through code inspection
2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library
2015-142 DOS due to malformed frames in HTTP/2
2015-141 Hash in data URI is incorrectly parsed
2015-140 Cross-origin information leak through web workers error events
2015-139 Integer overflow allocating extremely large textures
2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
2015-137 Firefox allows for control characters to be set in cookies
2015-136 Same-origin policy violation using perfomance.getEntries and history navigation
2015-135 Crash with JavaScript variable assignment with unboxed objects
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

Fixed in Firefox ESR 38.5
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.5
___

- http://www.securitytracker.com/id/1034426
CVE Reference: CVE-2015-7201, CVE-2015-7202, CVE-2015-7203, CVE-2015-7204, CVE-2015-7205, CVE-2015-7207, CVE-2015-7208, CVE-2015-7210, CVE-2015-7211, CVE-2015-7212, CVE-2015-7213, CVE-2015-7214, CVE-2015-7215, CVE-2015-7216, CVE-2015-7217, CVE-2015-7218, CVE-2015-7219, CVE-2015-7220, CVE-2015-7221, CVE-2015-7222, CVE-2015-7223
Dec 16 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 43.0 ...
Solution: The vendor has issued a fix (43.0, ESR 38.5).

- https://www.us-cert.gov/ncas/current-activity/2015/12/15/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR
Dec 15, 2015
___

- http://www.securitytracker.com/id/1034541
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
Dec 28 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 43.0.2 ...
Impact: A remote user can conduct hash collision forgery attacks.
Solution: The vendor has issued a fix (43.0.2, ESR 38.5.2).

- https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
Fixed in: Firefox 43.0.2, Firefox ESR 38.5.2

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7575
Last revised: 01/08/2016
___

- https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
Jan 6, 2016

:fear::fear:

AplusWebMaster
2016-01-26, 21:19
FYI...

Firefox 44.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/44.0/releasenotes/
Jan 26, 2015
New:
Improved warning pages for certificate errors and untrusted connections
Enable H.264 if system decoder is available
Enable WebM/VP9 video support on systems that don't support MP4/H.264
In the animation-inspector timeline, lightning bolt icon next to animations running on the compositor thread
Support the brotli compression format via HTTPS content-encoding
Screenshot commands allow user choice of pixel ratio in Developer Tools
Fixed:
Windows XP and Vista screensaver doesn't disable when watching videos (Bug 1193610)

Fixed in Firefox 44.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44
2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
2016-11 Application Reputation service disabled in Firefox 43
2016-10 Unsafe memory manipulation found through code inspection
2016-09 Addressbar spoofing attacks
2016-08 Delay following click events in file download dialog too short on OS X
2016-06 Missing delay following user click events in protocol handler dialog
2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
2016-04 Firefox allows for control characters to be set in cookie names
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-02 Out of Memory crash when parsing GIF format images
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

Fixed in Firefox ESR 38.6
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.6
___

- http://www.securitytracker.com/id/1034825
CVE Reference: CVE-2015-7208, CVE-2016-1930, CVE-2016-1931, CVE-2016-1933, CVE-2016-1935, CVE-2016-1937, CVE-2016-1938, CVE-2016-1939, CVE-2016-1940, CVE-2016-1941, CVE-2016-1942, CVE-2016-1943, CVE-2016-1944, CVE-2016-1945, CVE-2016-1946, CVE-2016-1947, CVE-2016-1948
Jan 27 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 44.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can bypass security controls on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (44; ESR 38.6)...
___

44.0.1
- https://www.mozilla.org/en-US/firefox/44.0.1/releasenotes/
Feb 8, 2016
Fixed:
Fix issue which could lead to the removal of stored passwords under certain circumstances (1242176)
Allows spaces in cookie names (1244505)
Fix WebSockets when used in a Service Worker context (1243942)
Disable opus/vorbis audio with H.264 (1245696)
Require NSS 3.21 (1244069)
Ship the Gecko SDK (1243740)
Fix for graphics startup crash (GNU/Linux) (1222171)
Fix a crash in cache networking (1244076).

:fear::fear:

AplusWebMaster
2016-02-12, 15:00
FYI...

Firefox 44.0.2 released

Start Firefox, then >Help >About >Apply Update ...

Release notes
- https://www.mozilla.org/en-US/firefox/44.0.2/releasenotes/
Feb 11, 2016
Fixed:
Firefox hangs or crashes on startup (1243098)
Various security fixes:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2
2016-13 Same-origin-policy violation using Service Workers with plugins
Critical - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949
Fixed in: Firefox 44.0.2

Firefox ESR 38.6.1
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.6.1
2016-14 Vulnerabilities in Graphite 2
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1523

- https://www.us-cert.gov/ncas/current-activity/2016/02/11/Mozilla-Releases-Security-Updates
Feb 11, 2016

:fear::fear:

AplusWebMaster
2016-03-08, 19:12
FYI...

Firefox v45.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/45.0/releasenotes/
Mar 8, 2016
New:
Instant browser tab sharing through Hello
Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
Synced Tabs button in button bar
Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
Guarani [gn] locale added
Fixed:
URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected
Various security fixes*

* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45
Fixed in Firefox 45
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-33 Use-after-free in GetStaticInstance in WebRTC
2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
2016-31 Memory corruption with malicious NPAPI plugin
2016-30 Buffer overflow in Brotli decompression
2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
2016-28 Addressbar spoofing though history navigation and Location protocol property
2016-27 Use-after-free during XML transformations
2016-26 Memory corruption when modifying a file being read by FileReader
2016-25 Use-after-free when using multiple WebRTC data channels
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
2016-21 Displayed page address can be overridden
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-19 Linux video memory DOS with Intel drivers
2016-18 CSP reports fail to strip location information for embedded iframe pages
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

- https://tinyurl.com/jm28onb
"... 2948 bugs found."

Fixed in Firefox ESR 38.7
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.7
___

- http://www.securitytracker.com/id/1035215
CVE Reference: CVE-2016-1950, CVE-2016-1952, CVE-2016-1953, CVE-2016-1954, CVE-2016-1955, CVE-2016-1956, CVE-2016-1957, CVE-2016-1958, CVE-2016-1959, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1963, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966, CVE-2016-1967, CVE-2016-1968, CVE-2016-1970, CVE-2016-1971, CVE-2016-1972, CVE-2016-1973, CVE-2016-1974, CVE-2016-1975, CVE-2016-1976, CVE-2016-1977, CVE-2016-1979, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802
Mar 9 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 45.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can overwrite files on the target system.
A remote user can bypass same-origin restrictions on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 38.7; 45.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/03/08/Mozilla-Releases-Security-Updates
March 08, 2016

:fear:

AplusWebMaster
2016-03-19, 02:52
FYI...

Firefox 45.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/45.0.1/releasenotes/
March 18, 2016
Fixed:
- Fix a -regression- causing search engine settings to be lost in some context (1254694)
- Bring back non-standard jar: URIs to fix a -regression- in IBM iNotes (1255139)
- XSLTProcessor.importStylesheet was failing when <import> was used (1249572)
- Fix an issue which could cause the list of search provider to be empty (1255605)
- Fix a -regression- when using the location bar (1254503)
- Fix some loading issues when Accept third-party cookies: was set to Never (1254856)
Changed:
- Disabled Graphite font shaping library

> https://wiki.mozilla.org/Releases/Firefox_45.0.1/BuildNotes#Issues

:fear::fear:

AplusWebMaster
2016-04-12, 04:50
FYI...

Firefox 45.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/45.0.2/releasenotes/
April 11, 2016
Fixed:
Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
Fix a crash impacting the video playback with Media Source Extension (1258562)
Fix a regression impacting some specific uploads (1255735)
Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)

:fear::fear:

AplusWebMaster
2016-04-26, 18:49
FYI...

Firefox 46.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/46.0/releasenotes/
April 26, 2016
New:
Improved security of the JavaScript Just In Time (JIT) Compiler
GTK3 integration (GNU/Linux only)
Fixed:
Screen reader behavior with blank spaces in Google Docs corrected
Correct rendering for scaled SVGs that use a clip and a mask
Changed:
WebRTC fixes to improve performance and stability
Developer:
Display dominator trees in Memory tool
Allocation and garbage collection pause profiling in the performance panel
Launch responsive mode from the Style Editor @media sidebar
HTML5:
Added support for document.elementsFromPoint
Added HKDF support for Web Crypto API

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46
Fixed in Firefox 46
2016-48 Firefox Health Reports could accept events from untrusted domains
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
2016-42 Use-after-free and buffer overflow in Service Workers
2016-41 Content provider permission bypass allows malicious application to access data
2016-40 Privilege escalation through file deletion by Maintenance Service updater
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

- https://bugzilla.mozilla.org/buglist.cgi?j_top=OR&f1=target_milestone&o3=equals&v3=Firefox%2046&o1=equals&resolution=FIXED&o2=anyexact&query_format=advanced&f3=target_milestone&f2=cf_status_firefox46&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&v1=mozilla46&v2=fixed%2Cverified&limit=0
... 3059 bugs found.

Fixed in Firefox ESR 38.8
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8

Fixed in Firefox ESR 45.1
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.1
___

- http://www.securitytracker.com/id/1035692
CVE Reference: CVE-2016-2804, CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2809, CVE-2016-2810, CVE-2016-2811, CVE-2016-2812, CVE-2016-2813, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820
Apr 27 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 46.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can gain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (46.0; ESR 38.8, ESR 45.1)...

:fear::fear:

AplusWebMaster
2016-05-04, 00:06
FYI...

Firefox 46.0.1 released

Start Firefox, then >Help >About >Apply Update ...

- https://www.mozilla.org/en-US/firefox/46.0.1/releasenotes/
May 3, 2016
Fixed:
Fix for search plugin issue for various locales (Bug 1246494)
Fix for add-on signing certificate expiration (Bug 1267318)
Limit Sync registration updates (Bug 1262312)
Fix for service worker update issue (Bug 1267733)
Fix a build issue when jit is disabled (Bug 1266366)
Fix for page loading issue related to antivirus software (Bug 1268922)

:fear:

AplusWebMaster
2016-06-07, 18:06
FYI...

Firefox 47.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
June 7, 2016
New...
Fixed...
Changed...
Developer...
HTML5...

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47
Fixed in Firefox 47
2016-62 Network Security Services (NSS) vulnerabilities
2016-60 Java applets bypass CSP protections
2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-57 Incorrect icon displayed on permissions notifications
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-54 Partial same-origin-policy through setting location.host through data URI
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

Fixed in Firefox ESR 45.2
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2

... 3389 bugs found.
___

- https://www.us-cert.gov/ncas/current-activity/2016/06/07/Mozilla-Releases-Security-Updates
June 07, 2016
___

- http://www.securitytracker.com/id/1036057
CVE Reference: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2825, CVE-2016-2826, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833, CVE-2016-2834
Jun 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 47.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (47.0; ESR 45.2)...

:fear::fear:

AplusWebMaster
2016-08-02, 19:38
FYI...

Firefox 48.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/48.0/releasenotes/
Aug 2, 2016
New...
Fixed...
Changed...
Developer...
Unresolved...

... 4050 bugs found.

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48
Fixed in Firefox 48
2016-84 Information disclosure through Resource Timing API during page navigation
2016-83 Spoofing attack through text injection into internal error pages
2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
2016-81 Information disclosure and local file manipulation through drag and drop
2016-80 Same-origin policy violation using local HTML file and saved shortcut file
2016-79 Use-after-free when applying SVG effects
2016-78 Type confusion in display transformation
2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
2016-76 Scripts on marquee tag can execute in sandboxed iframes
2016-75 Integer overflow in WebSockets during data buffering
2016-74 Form input type change from password to text can store plain text password in session restore file
2016-73 Use-after-free in service workers with nested sync events
2016-72 Use-after-free in DTLS during WebRTC session shutdown
2016-71 Crash in incremental garbage collection in JavaScript
2016-70 Use-after-free when using alt key and toplevel menus
2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
2016-68 Out-of-bounds read during XML parsing in Expat library
2016-67 Stack underflow during 2D graphics rendering
2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
2016-65 Cairo rendering crash due to memory allocation issue with FFMpeg 0.10
2016-64 Buffer overflow rendering SVG with bidirectional content
2016-63 Favicon network connection can persist when page is closed
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Firefox ESR 45.3
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.3
___

Enhancing Download Protection in Firefox
- https://blog.mozilla.org/security/2016/08/01/enhancing-download-protection-in-firefox/
Aug 1, 2016
___

- http://www.securitytracker.com/id/1036508
CVE Reference: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268
Aug 3 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 48.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof content.
A local user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix (48.0, ESR 45.3)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/08/03/Mozilla-Releases-Security-Updates
Aug 03, 2016

:fear:

AplusWebMaster
2016-08-19, 21:42
FYI...

Firefox 48.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/48.0.1/releasenotes/
Aug 18, 2016
Fixed:
Fix an audio regression impacting some major websites (bug 1295296)
Fix a top crash in the JavaScript engine (Bug 1290469)
Fix a startup crash issue caused by Websense (Bug 1291738)
Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
Fix a top crash caused by plugin issues (Bug 1264530)
Fix an unsigned add-ons issue on Windows
Fix a shutdown issue (Bug 1276920)
Fix a crash in WebRTC

:fear::fear:

AplusWebMaster
2016-09-20, 21:55
FYI...

Firefox 49.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/49.0/releasenotes/
Sep 20, 2016
New...
Fixed...
Changed...
Developer...

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox49
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49: https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/

Firefox 45.4: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.4
___

- http://www.securitytracker.com/id/1036852
CVE Reference: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 49.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause the target application to crash.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/20/Mozilla-Releases-Security-Updates
Sep 20, 2016

:fear::fear:

AplusWebMaster
2016-10-21, 01:27
FYI...

Firefox 49.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/49.0.2/releasenotes/
Oct 20, 2016
New: Asynchronous rendering of the Flash plugins is now enabled by default. This should improve performance and reduce crashes for sites that use the Flash plugin. (Bug 1307108)
Fixed: Change D3D9 default fallback preference to prevent graphical artifacts (Bug 1306465)
Network issue prevents some users from seeing the Firefox UI on startup (Bug 1305436)
Web compatibility issue with Array.prototype.values (Bug 1299593)
Various security fixes: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox49.0.2
Fixed in Firefox 49.0.2:
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
Web compatibility issue with file uploads (Bug 1306472)
Changed: Diagnostic information on timing for tab switching (Bug 1304113)
Reference link to Firefox 49.0.1 release notes:
> https://www.mozilla.org/firefox/49.0.1/releasenotes/
Fix a Canvas filters graphics issue affecting HTML5 apps (Bug 1304539)
___

- http://www.securitytracker.com/id/1037077
CVE Reference: CVE-2016-5287, CVE-2016-5288
Oct 21 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 48.x, 49.x ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0.2)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/10/20/Mozilla-Releases-Security-Update-Firefox
Oct 20, 2016

:fear:

AplusWebMaster
2016-11-15, 21:30
FYI...

Firefox 50.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/50.0/releasenotes/
Nov 15, 2016
New:
- Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently used order
View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
- Added option to Find in page that allows users to limit search to whole words only
- Added Guarani (gn) locale
- Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
- Added download protection for a large number of executable file types on Windows, Mac and Linux
- Improved performance for SDK extensions or extensions using the SDK module loader
- Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
Fixed:
- Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
- Various security fixes
Changed:
- Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
- Blocked versions of libavcodec older than 54.35.1 ...

Fixed in Firefox 50.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50
2016-89 Security vulnerabilities fixed in Firefox 50
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
Critical - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
High - CVE-2016-5292: URL parsing causes crash
High - CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink
High - CVE-2016-5294: Arbitrary target directory for result files of update process
High - CVE-2016-5297: Incorrect argument length checking in Javascript
High - CVE-2016-9064: Addons update must verify IDs match between current and new versions
High - CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
High - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
High - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
High - CVE-2016-9068: heap-use-after-free in nsRefreshDriver
High - CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
High - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
High - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
Moderate - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
Moderate - CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
Moderate - CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
Moderate - CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file
Moderate - CVE-2016-9070: Sidebar bookmark can have reference to chrome window
Moderate - CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
Moderate - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
Moderate - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
Low - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat
Low - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
Critical - CVE-2016-5289: Memory safety bugs fixed in Firefox 50
Critical - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

Firefox ESR 45.5: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.5
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
Nov 15, 2016
___

- http://www.securitytracker.com/id/1037298
CVE Reference: CVE-2016-5289, CVE-2016-5290, CVE-2016-5291, CVE-2016-5292, CVE-2016-5293, CVE-2016-5294, CVE-2016-5295, CVE-2016-5296, CVE-2016-5297, CVE-2016-5298, CVE-2016-5299, CVE-2016-9061, CVE-2016-9062, CVE-2016-9063, CVE-2016-9064, CVE-2016-9065, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9069, CVE-2016-9070, CVE-2016-9071, CVE-2016-9072, CVE-2016-9073, CVE-2016-9074, CVE-2016-9075, CVE-2016-9076, CVE-2016-9077
Nov 16 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain data on the target system.
A local user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (50.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/15/Mozilla-Releases-Security-Updates
Nov 15, 2016

:fear:

AplusWebMaster
2016-11-29, 12:37
FYI...

Firefox 50.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/50.0.1/releasenotes/
Nov 28, 2016
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.0.1
Security vulnerabilities fixed in Firefox 50.0.1
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/
CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
Impact: Critical
___

- http://www.securitytracker.com/id/1037353
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9078
Nov 29 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 49, 50 ...
Description: A vulnerability was reported in Mozilla Firefox. A remote user can bypass security controls on the target system.
A remote user can return a specially crafted HTTP redirection to a 'data:' URL to bypass same-origin controls and allow the referring domain to access data in the 'data:' URL domain.
Impact: A remote user can bypass same-origin restrictions to potentially read or write information from 'data:' URLs.
Solution: The vendor has issued a fix (50.0.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/28/Mozilla-Releases-Security-Update
Nov 28, 2016

:fear::fear:

AplusWebMaster
2016-12-01, 12:21
FYI...

Firefox 50.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/50.0.2/releasenotes/
Nov 30, 2016
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.0.2
Fixed in:
Firefox 50.0.2
Firefox ESR 45.5.1
Thunderbird 45.5.1
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
CVE-2016-9079: Use-after-free in SVG Animation
Critical
___

- http://www.securitytracker.com/id/1037370
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
Updated: Dec 1 2016
Original Entry Date: Nov 30 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 50.0.1; possibly earlier versions
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (50.0.2; ESR 45.5.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/30/Mozilla-Releases-Security-Updates
Nov 30, 2016

:fear::fear:

AplusWebMaster
2016-12-13, 19:49
FYI...

Firefox 50.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/50.1.0/releasenotes/
Dec 13, 2016
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.1 ...
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
CVE-2016-9894: Buffer overflow in SkiaGL - Critical
CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - Critical
CVE-2016-9895: CSP bypass using marquee tag - High
CVE-2016-9896: Use-after-free with WebVR - High
CVE-2016-9897: Memory corruption in libGLES - High
CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - High
CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - High
CVE-2016-9904: Cross-origin information leak in shared atoms - High
CVE-2016-9901: Data from Pocket server improperly sanitized before execution - Moderate
CVE-2016-9902: Pocket extension does not validate the origin of events - Moderate
CVE-2016-9903: XSS injection vulnerability in add-ons SDK - Moderate
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - Critical
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - Critical
___

- http://www.securitytracker.com/id/1037461
CVE Reference: CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.1; ESR prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (50.1; ESR 45.6)...

- http://www.securitytracker.com/id/1037462
CVE Reference: CVE-2016-9905
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (ESR 45.6)...

Firefox ESR 45.6: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.6

:fear::fear:

AplusWebMaster
2016-12-27, 23:03
FYI...

Update on Firefox Support for Windows XP and Vista
- https://blog.mozilla.org/futurereleases/2016/12/23/firefox-support-for-xp-and-vista/
Dec 23, 2016 - "In approximately March, 2017, Windows XP and Vista users will automatically be moved to the Firefox Extended Support Release (ESR*).
Firefox is one of the few browsers that continues to support Windows XP and Vista, and we expect to continue to provide security updates for users until September 2017. Users do not need to take additional action to receive those updates. In mid-2017, user numbers on Windows XP and Vista will be reassessed and a final support end date will be announced. In the meantime, we strongly encourage our users to upgrade to a version of Windows that is supported by Microsoft. Unsupported operating systems receive no security updates, have known exploits, and are dangerous for you to use. For planning purposes, enterprises using Firefox should consider September 2017 as the support end date for Windows XP and Vista. For more information please visit the Firefox support page**."
* https://www.mozilla.org/en-US/firefox/organizations/

** https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista
"... Firefox version 52 will be the last complete update for Windows XP and Windows Vista. Security updates will be released, but no new features... Firefox is one of the only browsers to offer any support for Windows XP and Vista. Microsoft itself ended support for Windows XP in 2014 and will end support for Windows Vista in 2017. Unsupported operating systems receive no security updates, have known exploits, and can be dangerous to use, which makes it difficult to maintain Firefox on those versions.
Firefox security updates for XP and Vista users will continue until September 2017, although new features will not be offered. In mid-2017, a final support end date will be announced based on the number of users still on Windows XP and Vista..."

> https://www.mozilla.org/en-US/firefox/organizations/faq/

:fear::fear:

AplusWebMaster
2017-01-24, 20:16
FYI...

Firefox 51.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
Jan 24, 2017

Security vulnerabilities fixed in Firefox 51
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
Security vulnerabilities fixed in Firefox 51
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/
Critical
CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
CVE-2017-5376: Use-after-free in XSL
CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
CVE-2017-5374: Memory safety bugs fixed in Firefox 51
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7

Firefox ESR 45.7: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.7
___

- http://www.securitytracker.com/id/1037693
CVE Reference: CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5392, CVE-2017-5393, CVE-2017-5394, CVE-2017-5395, CVE-2017-5396
Jan 25 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 51.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can gain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (51.0, ESR 45.7)...

:fear:

AplusWebMaster
2017-03-07, 23:10
FYI...

Firefox 52.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
Mar 7, 2017
New:
- Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.
- Enabled multi-process Firefox for Windows users with touch screens
- Added user warnings for non-secure HTTP pages with logins. Firefox now displays a “This connection is not secure” message when users click into the username and password fields on pages that don’t use HTTPS.
- Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.
- Enhanced Sync to allow users to send and open tabs from one device to another...
Changed:
- Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported:
> https://support.mozilla.org/t5/Problems-with-add-ons-plugins-or/Why-do-Java-Silverlight-Adobe-Acrobat-and-other-plugins-no/ta-p/31069
>> Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR*) version of Firefox...

[Corrections:
> https://www.mozilla.org/en-US/firefox/52.0/system-requirements/
... Windows
Operating Systems (32-bit and 64-bit)
Windows XP SP2
Windows Server 2003 SP1
Windows Vista
Windows 7
Windows 8
Windows 10
Please note that 64-bit builds of Firefox are only supported on Windows 7 and higher.
Windows XP/Vista/Server 2003 are no longer supported by regular Firefox releases.
These users should migrate to ESR 52..."
[Direct download for Firefox Extended Support Release]:
>> https://www.mozilla.org/en-US/firefox/organizations/all/
... which -is- the new -supported- version for for XP and Vista.]

Firefox ESR Overview
- https://www.mozilla.org/en-US/firefox/organizations/faq/

Security vulnerabilities fixed in Firefox 52
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox52
Fixed in Firefox 52
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
Critical
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
CVE-2017-5401: Memory Corruption when handling ErrorResult
CVE-2017-5402: Use-after-free working with events in FontFace objects
CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
CVE-2017-5404: Use-after-free working with ranges in selections
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

- http://www.securitytracker.com/id/1037966
CVE Reference: CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5409, CVE-2017-5410, CVE-2017-5411, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5425, CVE-2017-5426, CVE-2017-5427
Mar 8 2017
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can delete files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (52.0)...

* Firefox ESR 45.8: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.8
___

- https://www.us-cert.gov/ncas/current-activity/2017/03/07/Mozilla-Releases-Security-Update
Mar 7, 2017

:fear::fear:

AplusWebMaster
2017-03-18, 13:26
FYI...

Firefox 52.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

ESR download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes
- https://www.mozilla.org/en-US/firefox/52.0.1/releasenotes/
March 17, 2017
Various security fixes
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox52.0.1

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.0.1

> https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/
Critical
March 17, 2017
Fixed in:
- Firefox 52.0.1
- Firefox ESR 52.0.1
CVE-2017-5428: integer overflow in createImageBitmap()

- http://www.securitytracker.com/id/1038060
CVE Reference: CVE-2017-5428
Mar 17 2017
Version(s): 52.0; possibly prior versions...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (52.0.1, ESR 52.0.1)...

:fear::fear:

AplusWebMaster
2017-04-19, 21:35
FYI...

Firefox 53.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

XP/Vista: 52.1.0 ESR download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes
- https://www.mozilla.org/en-US/firefox/53.0/releasenotes/
April 19, 2017
Fixed:
Various security fixes:
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox53

- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
Security vulnerabilities fixed in Firefox 53
Critical:
CVE-2017-5433: Use-after-free in SMIL animation functions
CVE-2017-5435: Use-after-free during transaction processing in the editor
CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
CVE-2017-5459: Buffer overflow in WebGL
CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL
CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

- https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
Security vulnerabilities fixed in Firefox ESR 52.1
___

- http://www.securitytracker.com/id/1038320
CVE Reference: CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469
Apr 20 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 53.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain files on the target system.
A remote user can spoof a URL.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (53.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2017/04/19/Mozilla-Releases-Security-Updates
April 19, 2017

:fear::fear:

AplusWebMaster
2017-05-06, 02:43
FYI...

Firefox 53.0.2 released
- https://www.mozilla.org/en-US/firefox/53.0.2/releasenotes/
May 5, 2017

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

XP/Vista: 52.1.1 ESR download: https://www.mozilla.org/en-US/firefox/organizations/all/
> https://www.mozilla.org/en-US/firefox/52.1.1/releasenotes/

Fixed:
Make form validation errors and date picker panel visible to the user (Bug 1341190)
Various security fixes*

* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox53.0.2
High
CVE-2017-5031: Use after free in ANGLE
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-14/
___

- https://www.us-cert.gov/ncas/current-activity/2017/05/05/Mozilla-Releases-Security-Updates
May 05, 2017

:fear::fear:

AplusWebMaster
2017-05-21, 21:11
FYI...

Firefox 53.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/53.0.3/releasenotes/
May 19, 2017
Fixed:
- Fix excessive resource usage from the captive portal detection service (bug 1359697)
- Fix hangs when using a proxy with NTLM authentication (bug 1360574)...

XP/Vista: 52.1.2 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla.org/en-US/firefox/organizations/all/

- https://www.mozilla.org/en-US/firefox/52.1.2/releasenotes/
May 19, 2017
Fixed:
- Fix hangs when using a proxy with NTLM authentication (bug 1360574)

:fear:

AplusWebMaster
2017-06-14, 02:06
FYI...

Firefox 54.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/54.0/releasenotes/
June 13, 2017
New:
- Simplified the download button and download status panel
- Added support for multiple content processes (e10s-multi)
Various security fixes:
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox54

Security vulnerabilities fixed in Firefox 54
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
Critical:
CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
CVE-2017-5471: Memory safety bugs fixed in Firefox 54
CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
___

XP/Vista: 52.2.0 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/52.2.0/releasenotes/
June 13, 2017

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.2

Security vulnerabilities fixed in Firefox ESR 52.2
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Critical:
CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
___

- https://www.us-cert.gov/ncas/current-activity/2017/06/13/Mozilla-Releases-Security-Updates
June 13, 2017
___

- http://www.securitytracker.com/id/1038689
CVE Reference: CVE-2017-5470, CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7759, CVE-2017-7760, CVE-2017-7761, CVE-2017-7762, CVE-2017-7763, CVE-2017-7764, CVE-2017-7765, CVE-2017-7766, CVE-2017-7767, CVE-2017-7768, CVE-2017-7770, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
Jun 14 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 54.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A local user can modify files on the target system.
A remote user can obtain files on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 52.2; 54.0)...

:fear:

AplusWebMaster
2017-06-30, 17:56
FYI...

Firefox 54.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/54.0.1/releasenotes/
June 29, 2017
Fixed:
Fix a display issue of tab title (bug 1357656)
Fix a display issue of opening new tab (bug 1371995)
Fix a display issue when opening multiple tabs (bug 1371962)
Fix a tab display issue when downloading files (bug 1373109)
Fix a PDF printing issue (bug 1366744)
Fix a Netflix issue on Linux (bug 1375708)
___

XP/Vista: 52.2.1 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/52.2.1/releasenotes/
June 29, 2017

Fixed: Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)

:fear:

tashi
2017-08-09, 00:49
Firefox ESR was updated to version 52.3.

Firefox Version 55.0 Released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

https://www.mozilla.org/en-US/firefox/new/

Read First-Important: via ghacks.net

"Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update."

"Executive Summary


You cannot restore an older version / migrate to Firefox ESR after the upgrade to Firefox 55 (https://www.ghacks.net/2017/08/02/you-cannot-downgrade-firefox-55-profiles/).
Firefox 55.0 is the first version of Firefox that moves directly from Nightly to Beta.
The new WebExtensions permissions systems is enabled."


https://www.ghacks.net/2017/08/07/firefox-55-0-find-out-what-is-new/

AplusWebMaster
2017-08-13, 14:28
FYI...

Firefox 55.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/55.0.1/releasenotes/
August 10, 2017

Fixed in 55.0.1:
- Fix a rendering issue with some PKCS#11 libraries (bug 1388370)
- Fix a problem causing What's new pages not to be displayed (bug 1386224)
- Fix a regression the tab restoration process (bug 1388160)
- Disable the predictor prefetch (bug 1388160)
___

Firefox 'add-on' technology is modernizing
> https://support.mozilla.org/en-US/kb/firefox-add-technology-modernizing
"'Add-ons' allow you to add extra features and functionality to Firefox. Anyone can create an extension and make it available for people to download.
>> What's happening?
In the past, add-ons often stopped working each time a new version of Firefox was released, because developers had to update them every six weeks to keep them compatible. Since add-ons could also modify Firefox internal code directly, it was possible for bad actors to include malicious code in an innocent-looking add-on.
To address these issues, and as part of broader efforts to modernize Firefox as a whole, we’ve been transitioning to a new framework for developing Firefox extensions. You can still personalize Firefox with add-ons the same way you do now, except they won’t break in new Firefox releases.
Note: Starting in Firefox 57, which will be released in November 2017, only add-ons built with this new technology will work in Firefox. These are indicated by the “Compatible with Firefox 57+” label on addons.mozilla.org (AMO). Add-ons built with the old technology are labeled “Legacy” on the about:addons tab.
If an add-on does not have the "Compatible with 57+" label or has the -Legacy- label, the developer may be in the process of transitioning to the new technology..."
___

Fixed in Firefox v55.0:
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox55

> https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/
Critical:
CVE-2017-7798: XUL injection in the style editor in devtools
CVE-2017-7800: Use-after-free in WebSockets during disconnection
CVE-2017-7801: Use-after-free with marquee during window resizing
CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
___

FF 52.3.0 ESR released
Start Firefox, then >Help >About >Apply Update ...
-or- https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/52.3.0/releasenotes/
August 8, 2017

Fixed:
- Various security fixes*
- Various stability and regression fixes

* https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
Critical:
CVE-2017-7798: XUL injection in the style editor in devtools
CVE-2017-7800: Use-after-free in WebSockets during disconnection
CVE-2017-7801: Use-after-free with marquee during window resizing
CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

:fear:

AplusWebMaster
2017-08-17, 01:21
FYI...

Firefox 55.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes: https://www.mozilla.org/en-US/firefox/55.0.2/releasenotes/
August 16, 2017
Fixed:
- Fix a -regression- with the popup menu (Bug 1388682)
- Fix performance -regressions- with WebExtension (Bugs 1386937 & 1389381)
- Fix an issue with new installation notification for sideload add-ons (Bug 1372448)
- Fix a potential issue when the username had some specific characters in the path (Bug 1388584)

:fear:

AplusWebMaster
2017-08-26, 13:50
FYI...

Firefox 55.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes: https://www.mozilla.org/en-US/firefox/55.0.3/releasenotes/
August 25, 2017
Fixed:
- Fix file uploads to some websites, including YouTube (bug 1383518)
- Fix an issue with addons when using a path containing non-ascii characters (bug 1389160)

:fear:

AplusWebMaster
2017-09-28, 22:17
FYI...

Firefox 56 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes: https://www.mozilla.org/en-US/firefox/56.0/releasenotes/
Sep 28, 2017

New:
Launched Firefox Screenshots[1], a feature that lets users take, save, and share screenshots without leaving the browser
1] https://screenshots.firefox.com/#tour
Added support for address form autofill (en-US only)
Updated Preferences:
Added search tool so users can find a specific setting quickly
Reorganized preferences so users can more easily scan settings
Rewrote descriptions so users can better understand choices and how they affect browsing
Revised data collection choices so they align with updated Privacy Notice and data collection strategy
Media opened in a background tab will not play until the tab is selected
Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account
Changed:
Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
Added hardware acceleration for AES-GCM
Updated the Safe Browsing protocol to version 4
Reduced update download file size by approximately 20 percent
Improved security for verifying update downloads...
Unresolved:
Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for
IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
> https://www.mozilla.org/en-US/firefox/all/
Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it:
> https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware

Fixed in Firefox 56: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox56
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
Critical:
CVE-2017-7811: Memory safety bugs fixed in Firefox 56
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 ...

- http://www.securitytracker.com/id/1039465
CVE Reference: CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812, CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7816, CVE-2017-7817, CVE-2017-7818, CVE-2017-7819, CVE-2017-7820, CVE-2017-7821, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824, CVE-2017-7825
Sep 29 2017
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 56.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof the address bar and other user interface components.
A remote user can conduct cross-site scripting attacks.
Solution: The vendor has issued a fix (56.0)...
___

52.4.0 ESR released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes: https://www.mozilla.org/en-US/firefox/52.4.0/releasenotes/
Sep 28, 2017

Fixed:
Various security fixes*
Various stability and regression fixes
* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.4
Security vulnerabilities fixed in Firefox ESR52.4
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
Critical:
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 ...
___

- https://www.us-cert.gov/ncas/current-activity/2017/09/28/Mozilla-Releases-Security-Updates
Sep 28, 2017

:fear::fear:

AplusWebMaster
2017-10-02, 21:10
FYI...

Fake Firefox updates...
> https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update
"We have received reports from many users who were interrupted in their browsing experience and who got redirected to a -fake- page purporting to provide an "urgent" or "critical" update and prompting to download a firefox-patch.js (or .exe) file. Some people have also reported seeing -ads- prompting them to download a Firefox update. These are -scam- tactics trying to trick you into installing malware!... To our knowledge those notices are a form of "malvertising": those fake notices get triggered by code contained in -ads- that are displayed on otherwise legitimate websites you are visiting and get spread through advertisement networks. This is an example how such a fake update notice may look like - they are hosted on randomly generated and quickly changing domains:
>> https://support.cdn.mozilla.net/media/uploads/gallery/images/2016-09-15-12-37-10-c81e72.png
... -Fake-updates- have been spotted for other popular browsers. Although we cannot root out every bad actor on the web, we are continuing to improve Firefox's defenses against malware. Knowing how to recognize and report such frauds helps us keep the Internet open and safer."

:fear::fear::fear:

AplusWebMaster
2017-10-06, 00:03
FYI...

Firefox ESR E-O-L - on XP-Vista in June 2018
> https://blog.mozilla.org/futurereleases/2017/10/04/firefox-support-for-windows-xp-and-vista/
Oct 4, 2017 - "... Today we are announcing June 2018 as the final end of life date for Firefox support on Windows XP and Vista. As one of the few browsers that continues to support Windows XP and Vista, Firefox users on these platforms can expect security updates until that date. Users do not need to take additional action to receive those updates..."

> https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista

:fear::fear:

AplusWebMaster
2017-10-09, 22:04
FYI...

Firefox 56.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/56.0.1/releasenotes/
Oct 9, 2017
Fixed:
- Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bug 1403353)
Changed
- Users of 32-bit Firefox on 64-bit Windows are migrated to 64-bit Firefox for increased stability and security.

:fear:

AplusWebMaster
2017-10-26, 23:01
FYI...

Firefox 56.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/56.0.2/releasenotes/
Oct 26, 2017
Fixed:
- Disable Form Autofill completely on user request (Bug 1404531)
- Fix for video-related crashes on Windows 7 (Bug 1409141)
- Correct detection for 64-bit GSSAPI authentication (Bug 1409275)
- Fix for shutdown crash (Bug 1404105)

:fear::fear:

AplusWebMaster
2017-11-14, 18:26
FYI...

Firefox 57.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/57.0/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew
Nov 14, 2017
New:
A completely new browsing engine, designed to take full advantage of the processing power in modern devices
A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
An updated product tour to orient new and returning Firefox users
AMD VP9 hardware video decoder support for improved video playback with lower power consumption
An expanded section in preferences to manage all website permissions
Changed:
Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
Firefox does -not- support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience -issues- with Firefox.
Made the Adobe Flash plugin click-to-activate by default and allowed -only- on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap:
- https://developer.mozilla.org/en-US/docs/Plugins/Roadmap )

Changed: Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work..."
> https://support.mozilla.org/kb/firefox-add-technology-modernizing

Fixed: Various security fixes:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox57
Security vulnerabilities fixed in Firefox 57
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/
Nov 14, 2017
Critical:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7827: Memory safety bugs fixed in Firefox 57
CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

> https://blog.mozilla.org/blog/2017/11/14/introducing-firefox-quantum/
___

Firefox 52.5.0 ESR released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes: https://www.mozilla.org/en-US/firefox/52.5.0/releasenotes/
Nov 14, 2017
Various security fixes
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.5
Security vulnerabilities fixed in Firefox ESR 52.5
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
Critical:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

Various stability and regression fixes
___

- https://www.us-cert.gov/ncas/current-activity/2017/11/14/Mozilla-Releases-Security-Updates
Nov 14, 2017
___

- https://www.securitytracker.com/id/1039803
CVE Reference: CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7836, CVE-2017-7837, CVE-2017-7838, CVE-2017-7839, CVE-2017-7840, CVE-2017-7842
Nov 15 2017
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 57.0 ...
(More detail at the URL above.)


- https://www.securitytracker.com/id/1039805
CVE Reference: CVE-2017-7826, CVE-2017-7828, CVE-2017-7830
Nov 15 2017
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to ESR 52.5 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify data on the target system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix for CVE-2017-7826, CVE-2017-7828, and CVE-2017-7830 for Firefox ESR (52.5)...

:fear::fear::fear:

AplusWebMaster
2017-11-30, 20:10
FYI...

Firefox 57.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/57.0.1/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew
Nov 29, 2017
Fixed:
Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bug 1417442)
Fix an issue with prefs.js when the profile path has non-ascii characters (bug 1420427) ...
Google map crashes on OSX with Intel HD Graphics 3000
Changed:
Block injection of a client library associated with the RealPlayer Free player which is known to cause performance problems in Firefox. (Bug 1418535)

> https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/
Fixed in: Firefox 57.0.1
___

> https://www.ixquick.com/
"Firefox's latest update (57.0.1) aggressively tries to reset your default search engine to Google! To make StartPage your default search engine again after the update, please follow the instructions... You may want to bookmark this article now..."
* https://support.startpage.com/index.php?/Knowledgebase/Article/View/199/0/how-do-i-add-startpage-to-firefox-as-a-default-search-engine
___

- https://www.us-cert.gov/ncas/current-activity/2017/12/04/Mozilla-Releases-Security-Update-Firefox
Dec 04, 2017

:fear:

AplusWebMaster
2017-12-08, 15:23
FYI...

Firefox 57.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes:
- https://www.mozilla.org/en-US/firefox/57.0.2/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew
Dec 07, 2017
Fixed:
- Block old versions of G Data Endpoint Security for crashing Firefox on start up - Windows only (bug 1421991)
- Fix a regression with WebGL and D3D9 - Windows only

Firefox 57.0.2: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/
___

Firefox ESR 52.5.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes: https://www.mozilla.org/en-US/firefox/52.5.2/releasenotes/
Dec 07, 2017
- Various security fixes: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.5.2

ESR 52.5.2: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/
___

> https://www.us-cert.gov/ncas/current-activity/2017/12/07/Mozilla-Releases-Security-Updates
Dec 07, 2017

:fear::fear:

AplusWebMaster
2017-12-28, 23:46
FYI...

Firefox 57.0.3 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

> https://www.mozilla.org/en-US/firefox/57.0.3/releasenotes/
Dec 28, 2017
Fixed: Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in (bug 1427111)

:fear:

AplusWebMaster
2018-01-05, 03:40
FYI...

Firefox 57.0.4 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

> https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Jan 4, 2018
Fixed: Security fixes* to address the Meltdown and Spectre** timing attacks.
* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox57.0.4
...
> https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

** https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
___

> https://www.us-cert.gov/ncas/current-activity/2018/01/04/Mozilla-Releases-Security-Update
Jan 04, 2018

> https://www.us-cert.gov/ncas/alerts/TA18-004A
Jan 04, 2018

:fear::fear:

AplusWebMaster
2018-01-24, 00:23
FYI...

Firefox 58.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

> https://www.mozilla.org/en-US/firefox/58.0/releasenotes/
Jan 23, 2018
New: Performance improvements, including:
Rendering graphics for Windows users by using Off-Main-Thread Painting (OMTP)
Loading pages faster by changing how Firefox caches and retrieves JavaScript
Improvements to Firefox Screenshots:
Copy and paste screenshots directly to your clipboard
Firefox Screenshots now works in Private Browsing mode
Added Nepali (ne-NP) locale
In case you missed itó57 Release privacy and performance feature:
Users can enable Tracking Protection at all times. Learn how to turn Tracking Protection on.
Fixed:
Fonts installed in non-standard directories will no longer appear blank for Linux users
Various security fixes*
Changed:
User profiles created in Firefox 58 (and in future releases) are not supported in previous versions of Firefox. Users who downgrade to a previous version should create a new profile for that version. Learn about alternatives to downgrading on our support site.
Added a warning to alert users and site owners of planned security changes to sites affected by the gradual distrust plan for the Symantec certificate authority

* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox58
...
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/
CVE-2018-5091: Use-after-free with DTMF timers
Critical
CVE-2018-5090: Memory safety bugs fixed in Firefox 58
Critical
CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
Critical
___

Firefox ESR 52.6 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/organizations/all/

Release notes: https://www.mozilla.org/en-US/firefox/52.6.0/releasenotes/
Jan 23, 2018
Various stability and regression fixes
Various security fixes*
* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr52.6
...
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/
CVE-2018-5091: Use-after-free with DTMF timers
Critical
CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
Critical
___

- https://www.us-cert.gov/ncas/current-activity/2018/01/23/Mozilla-Releases-Security-Updates
Jan 23, 2018

:fear::fear:

AplusWebMaster
2018-01-31, 02:47
FYI...

Firefox 58.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

> https://www.mozilla.org/en-US/firefox/58.0.1/releasenotes/
Jan 29, 2018
Fixed:
Security fix: When using certain non-default security policies on Windows (for example with Windows Defender Exploit

Protection or Webroot security products), Firefox 58.0 would fail to load pages (bug 1433065).

- https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/
Jan 29, 2018
Critical
Fixed in: Firefox 58.0.1
This issue did not affect Firefox for Android or Firefox 52 ESR.
References: Sanitize HTML fragments created for chrome-privileged documents (CVE-2018-5124)
___

- https://www.us-cert.gov/ncas/current-activity/2018/01/30/Mozilla-Releases-Security-Update-Firefox
Jan 30, 2018
___

- https://www.securitytracker.com/id/1040308
CVE Reference: CVE-2018-5124
Jan 30 2018
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (58.0.1).

:fear: