It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

OG open-source darling gets security check-up

By Shaun Nichols in San Francisco


Mozilla's Firefox has been patched to address more than 30 CVE-listed security vulnerabilities.

The open-source browser has been updated in both its regular (Firefox 58) and extended support (ESR 52.6) flavors. You should install these as soon as possible.

The Firefox 58 update includes fixes for critical memory corruption bugs (under the blanket CVE-2018-5089 and CVE-2018-5090 labels) that could be exploited by dodgy webpages to execute malicious code within the browser – in other words, hijack the application and potentially the whole computer.

Ten of the 32 CVE-listed bugs fixed in the update patch up use-after-free cockups, which can be exploited by bad websites to either crash the software or be used as a stepping stone to malicious code execution and malware installation.

Among the most serious of the patched flaws was CVE-2018-5091, a use-after-free bug present in the DTMF timers used for WebRTC connections. Next, the fixes for CVE-2018-5093 and CVE-2018-5094 correct buffer overflow blunders in WebAssembly, while CVE-2018-5095 addresses a buffer overflow in the Skia graphics library.

A successful exploit of CVE-2018-5105 in WebExtensions would allow a website to save files to disk and launch them without any user notification, while CVE-2018-5107 could allow a webpage to abuse the print function to access some local files.

Other patched bugs include CVE-2018-5109, a flaw that allows pages to spoof the origin of an audio capture request, and CVE-2018-5117, a flaw in the display of address information that could allow for URL spoofing.

The ESR 52.6 update, meanwhile, contains 11 of the Firefox 58 updates, including the critical-rated memory corruption bug (CVE-2018-5089) and WebRTC use-after-free (CVE-2018-5091) vulnerability.

The security updates come as part of a larger overhaul of Firefox with the version 58 release. In addition to the bug fixes, the update speeds up graphics rendering and JavaScript performance for desktop users, includes support for progressive web apps on Android, and provides new menus for iOS.

Firefox 58 also builds on last Fall's release of Firefox 57. Considered the biggest update to the browser in years, the Firefox 57 release introduced Quantum, a rewritten browser engine that was intended to finally help Firefox compete with the likes of Google's Chrome and Microsoft's Edge browsers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

From Firefox to fired cocks: Look who's out to save you being shafted by insecure Internet of Dingalings – it's Mozilla!

Secret-keeping screw-ups bedevil amorous appliances

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Browser will stop asking nicely for privacy protections

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved

The Live bookmarks, preview features, that is

Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips

CPU slingers insist existing defenses will stop attacks – but eggheads disagree

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

Updated KB4056892 is not your friend if you run an Athlon

Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins conclude

While browsers have got their act together, any other apps interpreting user-supplied code need to be aware of this

Mozilla security policy cracks down on creepy web trackers, holds supercookies over fire

Firefox maker sets out dodgy practices the browser will block

Mozilla whips out Rusty new Firefox Quantum (and that's a good thing)

Landmark build promises to be faster, slimmer, better at multi-threading