Security

It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

OG open-source darling gets security check-up

By Shaun Nichols in San Francisco

78 SHARE

Mozilla's Firefox has been patched to address more than 30 CVE-listed security vulnerabilities.

The open-source browser has been updated in both its regular (Firefox 58) and extended support (ESR 52.6) flavors. You should install these as soon as possible.

The Firefox 58 update includes fixes for critical memory corruption bugs (under the blanket CVE-2018-5089 and CVE-2018-5090 labels) that could be exploited by dodgy webpages to execute malicious code within the browser – in other words, hijack the application and potentially the whole computer.

Ten of the 32 CVE-listed bugs fixed in the update patch up use-after-free cockups, which can be exploited by bad websites to either crash the software or be used as a stepping stone to malicious code execution and malware installation.

Among the most serious of the patched flaws was CVE-2018-5091, a use-after-free bug present in the DTMF timers used for WebRTC connections. Next, the fixes for CVE-2018-5093 and CVE-2018-5094 correct buffer overflow blunders in WebAssembly, while CVE-2018-5095 addresses a buffer overflow in the Skia graphics library.

A successful exploit of CVE-2018-5105 in WebExtensions would allow a website to save files to disk and launch them without any user notification, while CVE-2018-5107 could allow a webpage to abuse the print function to access some local files.

Other patched bugs include CVE-2018-5109, a flaw that allows pages to spoof the origin of an audio capture request, and CVE-2018-5117, a flaw in the display of address information that could allow for URL spoofing.

The ESR 52.6 update, meanwhile, contains 11 of the Firefox 58 updates, including the critical-rated memory corruption bug (CVE-2018-5089) and WebRTC use-after-free (CVE-2018-5091) vulnerability.

The security updates come as part of a larger overhaul of Firefox with the version 58 release. In addition to the bug fixes, the update speeds up graphics rendering and JavaScript performance for desktop users, includes support for progressive web apps on Android, and provides new menus for iOS.

Firefox 58 also builds on last Fall's release of Firefox 57. Considered the biggest update to the browser in years, the Firefox 57 release introduced Quantum, a rewritten browser engine that was intended to finally help Firefox compete with the likes of Google's Chrome and Microsoft's Edge browsers. ®

Sign up to our NewsletterGet IT in your inbox daily

78 Comments

More from The Register

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

Updated KB4056892 is not your friend if you run an Athlon

Guess who else Spectre is haunting? Yes, it's AMD. Four class-action CPU flaw lawsuits filed

Punters not happy with handling of vulnerability confessions

Mozilla whips out Rusty new Firefox Quantum (and that's a good thing)

Landmark build promises to be faster, slimmer, better at multi-threading

More ad-versarial tech: Mozilla to pop limited ad blocker into Firefox

Deteriorating web prompts browser maker to take a stand

Mozilla extends, and ends, Firefox support for Windows XP and Vista

Even Extended Support Releases will be naked and alone as of June 2018

Meltdown-and-Spectre-detector comes to Windows Analytics

After flubbing its early responses, Microsoft's thrown sysadmins a bone

Mozilla offers sysadmins a Policy Engine for roll-your-own Firefox installs

And warms to a kind of speculative execution for Tabs, too. Really.

Fresh fright of data-spilling Spectre CPU design flaws haunt Intel

Chipzilla checking fresh set of CVEs in chip side-channel flaw