Mozilla Firefox Version 50.0 Released With an Abundance of Security Updates

Mozilla sent Firefox Version 50.0 to the release channel today.  The update includes a very large set of security fixes, comprising three (3) Critical, twelve (12) High, ten (10) Moderate and (2) low security updates.  Also included in the release are new, fixed and changes.

The next scheduled release is December 13, 2016 (5 week cycle with release for critical fixes as needed).

Firefox ESR will continue to ship point releases on the same day that Firefox ships and can be downloaded from here. The ESR version was updated to 45.5.0.

Security Fixes:

Critical

• #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_
• #CVE-2016-5289: Memory safety bugs fixed in Firefox 50
• #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

High

• #CVE-2016-5292: URL parsing causes crash
• #CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink
• #CVE-2016-5294: Arbitrary target directory for result files of update process
• #CVE-2016-5297: Incorrect argument length checking in Javascript
• #CVE-2016-9064: Addons update must verify IDs match between current and new versions
• #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
• #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
• #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
• #CVE-2016-9068: heap-use-after-free in nsRefreshDriver
• #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
• #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
• #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them

Moderate

• #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
• #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
• #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
• #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
• #CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
• #CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file
• #CVE-2016-9070: Sidebar bookmark can have reference to chrome window
• #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
• #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
• #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s

Low

• #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat
• #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP

Firefox Version 50 New, Fixed & Changed:

New

• Updates to keyboard shortcuts
  
  • Set a preference to have Ctrl+Tab cycle through tabs in recently used order
  • View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
• Added option to Find in page that allows users to limit search to whole words only
  
• Added Guarani (gn) locale
  
• Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
  
• Added download protection for a large number of executable file types on Windows, Mac and Linux
  
• Improved performance for SDK extensions or extensions using the SDK module loader
  
• Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
  

Fixed

• Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
  

Changed

• Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
  
• Blocked versions of libavcodec older than 54.35.1
  

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes  
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...