This article is more than 1 year old
It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs
OG open-source darling gets security check-up
Mozilla's Firefox has been patched to address more than 30 CVE-listed security vulnerabilities.
The open-source browser has been updated in both its regular (Firefox 58) and extended support (ESR 52.6) flavors. You should install these as soon as possible.
The Firefox 58 update includes fixes for critical memory corruption bugs (under the blanket CVE-2018-5089 and CVE-2018-5090 labels) that could be exploited by dodgy webpages to execute malicious code within the browser – in other words, hijack the application and potentially the whole computer.
Ten of the 32 CVE-listed bugs fixed in the update patch up use-after-free cockups, which can be exploited by bad websites to either crash the software or be used as a stepping stone to malicious code execution and malware installation.
Among the most serious of the patched flaws was CVE-2018-5091, a use-after-free bug present in the DTMF timers used for WebRTC connections. Next, the fixes for CVE-2018-5093 and CVE-2018-5094 correct buffer overflow blunders in WebAssembly, while CVE-2018-5095 addresses a buffer overflow in the Skia graphics library.
A successful exploit of CVE-2018-5105 in WebExtensions would allow a website to save files to disk and launch them without any user notification, while CVE-2018-5107 could allow a webpage to abuse the print function to access some local files.
Other patched bugs include CVE-2018-5109, a flaw that allows pages to spoof the origin of an audio capture request, and CVE-2018-5117, a flaw in the display of address information that could allow for URL spoofing.
The ESR 52.6 update, meanwhile, contains 11 of the Firefox 58 updates, including the critical-rated memory corruption bug (CVE-2018-5089) and WebRTC use-after-free (CVE-2018-5091) vulnerability.
The security updates come as part of a larger overhaul of Firefox with the version 58 release. In addition to the bug fixes, the update speeds up graphics rendering and JavaScript performance for desktop users, includes support for progressive web apps on Android, and provides new menus for iOS.
Firefox 58 also builds on last Fall's release of Firefox 57. Considered the biggest update to the browser in years, the Firefox 57 release introduced Quantum, a rewritten browser engine that was intended to finally help Firefox compete with the likes of Google's Chrome and Microsoft's Edge browsers. ®
Biting the hand that feeds IT
