Mozilla sent Firefox Version 56.0 to the release channel today. The update includes two (2) Critical, six (6) High, seven (7) Moderate and two (2) Low security updates. Firefox ESR was updated to version 52.4.0.
Important Notes:
- Although version 56 is scheduled to "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version, it was not updated to the 64-bit version on my machine.
- Users of Lenovo's "OneKey Theater" software for IdeaPad laptops and users running Firefox for Windows over a Remote Desktop Connection (RDP) are advised to check the unresolved issues below.
- Version 56 makes Firefox Screenshots and Send Tabs available to all users.
- See the following regarding add-ons starting in Firefox 57: Firefox add-on technology is modernizing
Security Fixes:
Critical:- #CVE-2017-7811: Memory safety bugs fixed in Firefox 56
- #CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- #CVE-2017-7793: Use-after-free with Fetch API
- #CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode
- #CVE-2017-7818: Use-after-free during ARIA array manipulation
- #CVE-2017-7819: Use-after-free while resizing images in design mode
- #CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE
- #CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
- #CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files
- #CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings
- #CVE-2017-7813: Integer truncation in the JavaScript parser
- #CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces (Note: This attack only affects OS X operating systems. Other operating systems are unaffected.)
- #CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations
- #CVE-2017-7816: WebExtensions can load about: URLs in extension UI #CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction
- #CVE-2017-7823: CSP sandbox directive did not create a unique origin
- #CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV
- #CVE-2017-7820: Xray wrapper bypass with new tab and web console
- Launched Firefox Screenshots, a feature that lets users take, save, and share screenshots without leaving the browser
- Added support for address form autofill (en-US only)
- Updated Preferences
- Added search tool so users can find a specific setting quickly
- Reorganized preferences so users can more easily scan settings
- Rewrote descriptions so users can better understand choices and how they affect browsing
- Revised data collection choices so they align with updated Privacy Notice and data collection strategy
- Media opened in a background tab will not play until the tab is selected
- Improved Send Tabs feature of Sync for iOS and Android, and Send Tabs can be discovered even by users without a Firefox Account
Changed
- Replaced character encoding converters with a new Encoding Standard-compliant implementation written in Rust
- Added hardware acceleration for AES-GCM
- Updated the Safe Browsing protocol to version 4
- Reduced update download file size by approximately 20 percent
- Improved security for verifying update downloads
Unresolved
- Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
- Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
- Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release
To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.
No comments:
Post a Comment
Neither spam nor comments containing vulgarities will be approved.