Mozilla Firefox Version 69.0 Released with Security Updates

Mozilla sent Firefox Version 69.0 to the release channel today.  The update included seventeen (17) security updates of which one (1) is critical, eight (8) are high, five (5) moderate and three (3) are rated low.

Of particular interest in Version 69.0 are the new Enhanced Tracking Protection, the option to block video autoplay and Flash content requires user permission before activating content on a website.

Also released were Firefox ESR Version 60.9 (Security vulnerabilities fixed in Firefox ESR 60.9) and Version 68.1 (Security vulnerabilities fixed in Firefox ESR 68.1).

Critical

• #CVE-2019-11751: Malicious code execution through command line parameters

High

• #CVE-2019-11746: Use-after-free while manipulating video
• #CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
• #CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images< #CVE-2019-11736: File manipulation and privilege escalation in Mozilla Maintenance Service< #CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
• #CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
• #CVE-2019-9812: Sandbox escape through Firefox Sync
• #CVE-2019-11741: Isolate addons.mozilla.org and accounts.firefox.com< #CVE-2019-11734: Memory safety bugs fixed in Firefox 69
• #CVE-2019-11735: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
• #CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9

Moderate

• #CVE-2019-11743: Cross-origin access to unload event attributes
• #CVE-2019-11748: Persistence of WebRTC permissions in a third party
• #CVE-2019-11749: Camera information available without prompting using getUserMedia
• #CVE-2019-5849: Out-of-bounds read in Skia
• #CVE-2019-11750: Type confusion in Spidermonkey

Low

• #CVE-2019-11737: Content security policy directives ignore port and path if host is a wildcard
• #CVE-2019-11738: Content security policy bypass through hash-based sources in directives
• #CVE-2019-11747: 'Forget about this site' removes sites from pre-loaded HSTS list

New

• Enhanced Tracking Protection (ETP) rolls out stronger privacy protections:
  
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
• The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.
  
• For our users in the US or using the en-US browser, we are shipping a new “New Tab” page experience that connects you to the best of Pocket’s content.
  
• Support for the Web Authentication HmacSecret extension via Windows Hello now comes with this release, for versions of Windows 10 May 2019 or newer, enabling more passwordless experiences on the web.
  
• Support for receiving multiple video codecs with this release makes it easier for WebRTC conferencing services to mix video from different clients.
  
• For our users on Windows 10, you’ll see performance and UI improvements:
  
  • Firefox will give Windows hints to appropriately set content process priority levels, meaning more processor time spent on the tasks you're actively working on, and less processor time spent on things in the background (with the exception of video and audio playback).
  • For our existing Windows 10 users, you can easily find and launch Firefox from a shortcut on the Win10 taskbar.
• For our users on macOS, battery life and download UI are both improved:
  
  • macOS users on dual-graphics-card machines (like MacBook Pro) will switch back to the low-power GPU more aggressively, saving battery life.
  • Finder on macOS now displays download progress for files being downloaded.
• JIT support comes to ARM64 for improved performance of our JavaScript Optimizing JIT compiler.
  

Changed

• As previously announced in the Plugin Roadmap for Firefox, the "Always Activate" option for Flash plugin content has been removed. Firefox will now always ask for user permission before activating Flash content on a website.
  
• With the deprecation of Adobe Flash Player, there is no longer a need to identify users on 32-bit version of the Firefox browser on 64-bit version operating systems reducing user agent fingerprinting factors providing greater level of privacy to our users as well as improving the experience of downloading other apps.
  
• Firefox no longer loads userChrome.css or userContent.css by default improving start-up performance. Users who wish to customize Firefox by using these files can set the toolkit.legacyUserProfileCustomizations.stylesheets preference to true to restore this ability.
  

Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...