Mozilla Firefox Version 60.0 Released with Security Updates

Mozilla sent Firefox Version 60.0 to the release channel today.  The update includes twenty-six (26) security fixes of which two (2) are rated critical, six (6) high, fourteen (14) moderate, and four (4) low.

Firefox ESR has been updated to version 52.8.

Security Fixes

Critical:

• #CVE-2018-5151: Memory safety bugs fixed in Firefox 60
• #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

High:

• #CVE-2018-5154: Use-after-free with SVG animations and clip paths
• #CVE-2018-5155: Use-after-free with SVG animations and text paths
• #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
• #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
• #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
• #CVE-2018-5160: Uninitialized memory use by WebRTC encoder

Moderate:

• #CVE-2018-5152: WebExtensions information leak through webRequest API
• #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
• #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
• #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace
• #CVE-2018-5166: WebExtension host permission bypass through filterReponseData
• #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger
• #CVE-2018-5168: Lightweight themes can be installed without user interaction
• #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages
• #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer
• #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
• #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
• #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies
• #CVE-2018-5176: JSON Viewer script injection
• #CVE-2018-5177: Buffer overflow in XSLT during number formatting

Low:

• #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox
• #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
• #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink
• #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar 
 

New

• Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file
  
• Enhancements to New Tab / Firefox Home
  
  • Responsive layout that shows more content for users with wide-screen displays
  • Highlights section includes web sites saved to Pocket
  • More options to reorder sections and content on the page
  • Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content
• Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies
  
• Applied Quantum CSS to render browser UI
  
• Added support for Web Authentication API, which allows USB tokens for website authentication
  
• Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording
  
• Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You’ll find the Title Bar option in the Customize panel available from the main browser menu.
  
• Improved WebRTC audio performance and playback for Linux users
  
• Locale added: Occitan (oc)
  

Changed

• Changed the Windows shortcut for entering Reader View to F9, for better compatibility with keyboard layouts that use AltGr
  
• Bookmarks no longer support multiple keywords for the same URL unless the request has different POST data
  
• TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox
  
• Updated the Skia graphics library to milestone 66
  

Developer

• Changes affecting developers (Developer Information)

Unresolved

• After disabling Sponsored Stories from the New Tab page settings, the next opened tab may still show a sponsored tile (bug 1458906)
  
• WebVR does not work on macOS with Vive headsets (bug 1454204)
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...