Firefox 79.0.0 and 78.1.0 esr released

[German]Mozilla's developers have released the version 79.0. of the Firefox browser (as well as the 78.1.0 esr) on 29 July 2020. These are maintenance updates that fix both vulnerabilities and bugs.

Firefox 79.0.0

The release notes for version 79.0.0 state that this version should fix the following bugs.

• We've rolled out WebRender to more Windows users with Intel and AMD GPUs, bringing improved graphics performance to an even larger audience.
• Firefox users in Germany will now see more Pocket recommendations in their new tab featuring some of the best stories on the web. If you don't see them, you can turn on Pocket articles in your new tab by following these steps.

So the WebRenderer will be available on more systems and German users will get more pocket recommendations. The developers have also made a number of security fixes. Here are the vulnerabilities rated as high, which have been closed.

• CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker: By observing the stack trace for JavaScript errors in webworkers, it was possible to retrieve the result of a cross-origin redirection. This only applied to content that could be parsed as script.
• CVE-2020-6514: WebRTC data channel leaks internal address to peer: WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is often transferred to the peer, which can bypass ASLR.
• CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy: Mozilla developer Rob Wu discovered that a redirected HTTP request observed or modified via a Web extension could bypass existing CORS checks. This could lead to potential disclosure of information from other countries of origin.

The following vulnerabilities have been given the threat level Medium and have also been eliminated.

• CVE-2020-15653: Bypassing iframe sandbox when allowing popups: Mozilla developer Anne van Kesteren discovered that iframe sandbox can be bypassed with the allow-popups flag when using noopener links. This could have led to security issues for sites that rely on sandbox configurations that allow popups and host arbitrary content.
• CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture: JIT optimizations using the Javascript Arguments object could 'confuse' later optimizations. This risk has already been mitigated by various precautions in the code, so this bug is considered moderately severe.
• CVE-2020-15656: Type confusion for special arguments in IonMonkey: JIT-Optimierungen mit dem Javascript-Argumente-Objekt könnten spätere Optimierungen 'verwirren'. Dieses Risiko wurde bereits durch verschiedene Vorkehrungen im Code gemildert, so dass dieser Fehler nur als mäßig schwerwiegend eingestuft wurde.
• CVE-2020-15658: Overriding file type when saving to disk: he file download code does not properly handle special characters. This allowed an attacker to truncate a file that ended at a previous location. This resulted in a different file type being downloaded than that displayed in the dialog box.
• CVE-2020-15657: DLL hijacking due to incorrect loading path: On Windows, Firefox could be tricked into loading attacker-provided DLL files from the installation directory. To do this, an attacker had to be able to write files to the installation directory (no problem with Firefox portable). To my shame I have to admit that I never tested Firefox in this way, maybe it would have been noticed.
• CVE-2020-15654: Custom cursor can overlay user interface:  In an infinite loop, a web page that specifies a custom cursor with CSS could look as if the user is interacting with the user interface, although this is not the case. This could lead to a state that is perceived as broken, especially if interactions with existing browser dialogs and warnings do not work.
• CVE-2020-15659: Memory safety bugs fixed in Firefox 79: Mozilla developers and community members reported memory safety bugs in Firefox 78. Some of these bugs showed signs of memory corruption, and we believe that some of them could have been exploited with enough effort to execute arbitrary code.

These vulnerabilities are closed with the Firefox 79 update. The following fixes for problems were mentioned in the release notes:

• Several crashes when using a screen reader have been fixed, including a common crash when using the JAWS screen reader.
• The Firefox Developer Tools have been significantly improved so that screen reader users can benefit from some of the tools that were previously inaccessible.
• SVG title and desk elements (captions and descriptions) are now displayed correctly in utility products such as screen readers.

A number of bug fixes have been made for enterprise use. New guidelines have also been implemented in the latest version of Firefox. For more details, see the Firefox for Enterprise 79 release notes.

Firefox 78.1.0 esr

There was also an update of Firefox 78.1.0 esr with one year long term support with the same bug fixes and eliminated vulnerabilities. Firefox can be downloaded from this website. The updates are also available for direct download. The colleagues from deskmodder.de have provided the FTP download addresses here.

In the same washup, the Tor bundle was updated to 9.5.3 – details can be found here.