Fixed in Firefox 37.0.1
- 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header
- 2015-43 Loading privileged content through Reader mode
Mozilla sent Firefox Version 37.0 to the release channel.
Correction: Although not listed in the Release Notes, it appears that Version 37.0 does indeed include security fixes: four (4) critical, two (2) high, five (5) moderate and one (1) low.
A major addition included in the browser is called Heartbeat, described as User Voice in Firefox. Essentially, it is a user rating system. Heartbeat will appear randomly requesting a rating:
which may be followed by an "Engagement" request:
Personally, this seems like a whole lot of nonsense to me and a wasted effort on the part of Mozilla.org to increase its following. It is nonsense like that that convinces me further that I made the right decision to switch to Pale Moon.
If you do not wish to allow Heartbeat, it can be disabled as follows:
- Open about:config
- Click "I'll be careful, I promise!" when presented with the warning.
- Type selfsupport in the search box
- Set browser.selfsupport.url to ""
Fixed in Firefox 37
- 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
- 2015-40 Same-origin bypass through anchor navigation
- 2015-39 Use-after-free due to type confusion flaws
- 2015-38 Memory corruption crashes in Off Main Thread Compositing
- 2015-37 CORS requests should not follow 30x redirections after preflight
- 2015-36 Incorrect memory management for simple-type arrays in WebRTC
- 2015-35 Cursor clickjacking with flash and images
- 2015-34 Out of bounds read in QCMS library
- 2015-33 resource:// documents can load privileged pages
- 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
- 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
- 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
- New Heartbeat user rating system - your feedback about Firefox
- New Yandex set as default search provider for the Turkish locale
- New Bing search now uses HTTPS for secure searching
- New Improved protection against site impersonation via OneCRL centralized certificate revocation
- New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
- Changed Disabled insecure TLS version fallback for site security
- Changed Extended SSL error reporting for reporting non-certificate errors
- Changed TLS False Start optimization now requires a cipher suite using AEAD construction
- Changed Improved certificate and TLS communication security by removing support for DSA
- Changed Improved performance of WebGL rendering on Windows
- HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube
- HTML5 Added support for CSS display:contents
- HTML5 IndexedDB now accessible from worker threads
- HTML5 New SDP/JSEP implementation in WebRTC
UpdateTo get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...