Mozilla Firefox Version 76.0 Released With Critical Security Updates

Mozilla sent Firefox Version 76.0 to the release channel today.  The update included eleven (11) security updates of which three (3) are critical, three (3) are high, four (4) are moderate and one (1) is low in severity.

Also released was Firefox ESR Version 68.8.

Critical

• #CVE-2020-12387: Use-after-free during worker shutdown
• #CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
• #CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

 High

• #CVE-2020-12389: Sandbox escape with improperly separated process types
• #CVE-2020-6831: Buffer overflow in SCTP chunk input validation
• #CVE-2020-12396: Memory safety bugs fixed in Firefox 76

Moderate

• #CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
• #CVE-2020-12391: Content-Security-Policy bypass using object elements
• #CVE-2020-12392: Arbitrary local file access with 'Copy as cURL
• #CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection

Low

• #CVE-2020-12394: URL spoofing in location bar when unfocussed

New

• With today’s release, Firefox strengthens protections for your online account logins and passwords, with innovative approaches to managing your accounts during this critical time:
  
  • Firefox displays critical alerts in the Lockwise password manager when a website is breached;
  • If one of your accounts is involved in a website breach and you've used the same password on other websites, you will now be prompted to update your password. A key icon identifies which accounts use that vulnerable password.
  • Automatically generate secure, complex passwords for new accounts across more of the web that are easily saved right in the browser;
  • You have been able to access and see your saved passwords under Logins and Passwords easily under the main menu. If your device happens to be shared among your family or roommates, the latest update helps to prevent casual snooping over your shoulder. If you don’t have a master password set up for Firefox, Windows and macOS now requires a login to your operating system account before showing your saved passwords.
  • Picture-in-Picture allows you to multitask, the small video window following along no matter what you are doing on your computer, across different applications and even workspaces. Now, when you are ready to focus on the video, a double click can take the small window into full screen. Double click again to reduce the size again. 

• Firefox now supports Audio Worklets that will allow more complex audio processing like VR and gaming on the web; and is being adopted by some of your favorite software programs.
  • With this change, you can now join Zoom calls on Firefox without the need for any additional downloads. 

• WebRender continues its roll out to more Firefox for Windows users, now available by default on modern Intel laptops with a small screen (<= 1920x1200) for improved graphics rendering. Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted." May the wind sing to you and the sun rise in your heart...