Mozilla releases security updates Firefox 66.0.1 and 60.6.1 ESR
Mozilla has just released Firefox 66.0.1 and Firefox 60.6.1 ESR to the public. The two new versions of Firefox patch critical security vulnerabilities in the web browser.
Firefox users should receive the updates automatically if automatic updates is turned on in the browser (which it is by default). The new versions are also available as standalone downloads from Mozilla's official website.
Firefox users may select Menu > Help > About Firefox to run a manual check for updates to download the new version immediately. It takes a while as Firefox does not run real-time update checks.
Firefox 66.0.1 and Firefox 60.6.1 ESR
Mozilla patched two critical security vulnerabilities in Firefox 66.0.1. and Firefox 60.6.1 ESR (Extended Support Release).
The vulnerabilities are listed on the official Firefox Security Advisories website:
CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow.
CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write.
Additional information is not provided at this time, the linked bug listings are blocked from the public.
The two researchers that discovered the vulnerabilities are Richard Zhu and Amat Cama, and it is probably no coincidence that the researchers attacked Firefox successful in this year's Pwn2Own competition.
The security researchers managed to use an exploit in Firefox to execute code at the system level if a user visited a specifically prepared website.
They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website.
The competition saw another successful targeting Firefox. Niklas Baumstark exploited a JIT bug in Firefox to escape the sandbox which would allow an attacker to run code on the device with the same permissions as the signed-in user.
He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user.
It is recommended to update to the new patched versions of Firefox to protect the browser and underlying system from attacks targeting these vulnerabilities.
FAST !! No browser is faster than others.
The hog comes from third party libraries on webpages.
Google, CDNs, Amazon, Facebook, Twitter, Disqus…
@Jody Thornton Nice try, consumerist. I’m using a netbook with 1 Gb of RAM.
FF 52.9 ESR, but the ones from Frontmotion, not the M0ZILLA one…
Sad, sad M0zilla C0rp0ration.
+ no script by Maone
+ decentraleyes (This is very important for avoiding mass-tracking)
+ uBo by Gorhill (and maybe uM)
+ some user agent spoofing XPI that can be easily deactivated
+ local proxy and PAC File.
Dual-cores really don’t cut it anymore even for basic web browsing. You need a quad-core (an actual quad-core, not a dual-core with HyperThreading) and 8 GB RAM to have a decent experience. Anything less than that is asking for trouble.
I finally had to retire my old AMD Athlon II X2 + 3 GB RAM system because it couldn’t keep up anymore, regardless of the browser.
Any idea why I haven’t got Firefox 66 on my Android 7.1 yet? It’s the latest Lineage OS, Moto X Play.
I switched to ESR (60.6.1) a few days ago and it does seem to have more consistent input responses, better video and audio performance. Also has many fewer config settings. Isn’t frequently updated with the latest junkware and fixes for blunders as the regular version is.
Not sure why there’s such a difference, my config mods and addons (all 6 of them!) are essentially the same as before but the difference is noticeable.
I updated to 66.0.1 about an hour ago with Windows 10 Home and all went flawless, but when Firefox updated on my Windows 7 Pro pc just now, it crashed my pc. I had no video display. My only option was to do a reboot with the power button and after it booted back up, My Firefox icon was gone from my taskbar, and clicking on the desktop Firefox icon did nothing at all… Firefox was borked.
I had to download the new version and install that. I did not loose anything like my bookmarks & cookies
Firefox 66 freezes here while starting to play Youtube videos sometimes (those where ads will be shown, apparently), and this didn’t happened with Firefox 65, i was hoping those urgent fixes a couple days after the release may address it, but nah it did not :-(
Anyone else experiencing that?
No problem with youtube so far but I do encounter another big problem.
FF66 repeatedly resets ALL settings of installed extensions and deletes ALL the installed scripts of violentmonkey. I have to manually setting up everything back everytime it resets…
“Refreshing” the firefox profile does not help…
Greasemonkey seems to work normally here, fwiw.
Youtube videos does NOT freeze anymore in v.66 and v.66.0.1 :)
If you still have problem then use the h264ify plugin to solve the freezing problem.
Huh?
Hold… i have enabled av1 in YT, perhaps that’s the reason behind that since actually i have also noticed streaming AV1 videos is more choppy than in the previou version…
I tried 60.6.1 ESR on my Windows 7 x64. Still, after this long time with that Quantum BS about 85% of my addons can’t be replaced. Yep, i went back to 52.9.0 ESR.
“Yep, i went back to 52.9.0 ESR”
Lol, since this is concerning Quantum, a browser that you said you won’t use, then why are you here?
Eventually websites won’t render properly (as Pale Moon users are finding out) and then you’ll be coming back here wondering why.
I bit the bullet and recently ditched 52.9.0 and although I missed some extensions, they weren’t critical for my needs.
Can the old XUL addons still be installed from somewhere for that old version of ESL?
I really hate why they deprecated the XUL addon support, that was the only reason to use Firefox, now I can just use Chrome, which is faster and better in everything compared to Firefox. With current Firefox Quantum being a more bloated and slower Chrome clone that has less features and customization than pre-Quantum Firefox.
@Allwynd
You can access XUL add-ons by using this extension:
https://github.com/JustOff/ca-archive/releases
That being said, I suggest you switch from Firefox 52 ESR to either Waterfox or Basilisk. Firefox 52 ESR no longer gets security updates, the other two still do.
Was a time I had 70+ legacy add-ons prior to Quantum of course. I switched to Quantum and completely reorganized by extensions, slowly replacing the add-ons. I now have ~45 Webextensions and miss no feature provided by pre-Quantum legacy add-ons. The browser is faster, uses less CPU and less RAM, is far more stable. I wouldn’t return to old versions and not even to ESR, ESR which I used when Quantum appeared for the same reasons as you, stefann, before realizing when anticipating tomorrows that I’d inevitably be confronted to Quantum sooner or later if I maintained Firefox. Later meaning more tears I opted for sooner.
@Tom Hawack
Of course it’s faster for you, 25+ extensions were extinguished lol.
I have to wonder why you need that many extensions.. Are you using all of them?
Many extensions are not available in Quantum and the available ones are crippled to oblivion.
@Anonymous, it’s not the minus 25 extensions from pre-Quantum to Quantum which makes the difference. Quantum is just faster, snappier making me happier (that’s for the rhyme: snappy-happy, lol).
I don’t “need” extensions, or maybe 2 or three, in the same way that I don’t “need” furniture (besides a mattress, a table and 2 chairs (one for me and one for you if you drop in!). Extensions for very few, those which contribute to privacy and security perhaps deserve being needed, otherwise the reason is mainly comfort.
At this time I’ve found all I wished for a browser, Firefox in my case, within Webextensions. This is so personal and I can very well elaborate on a scheme of minimalism when it comes to a browser and its extensions as when it concerns life : we need very little if we get to understand what needing means. So I understand your wondering. It’s mainly a quest of a cozy, bourgeois place… I mean browser :=)
That is Your opinion. I don’t care if a browser is 0.0000005% faster than the old one. Ridicilous really. I couldn’t see much difference between the old ESR and the new….
@stefann
Well it’s much more than 0.0000005% faster. I use Quantum ESR 60. Would never look back. It’s like going on a diet. You’ll get used to healthier food. And Quantum runs shit loads better than any Australis build or clone. (Waterfox, Basilisk).
So it’s not just Tom’s opinion. It’s fact.
@Jody Thornton:
Disagree. Quantum is a RAM hog without equal, and if RAM is limited, it flat out sucks. Also, whether or not you see a benefit depends on your hardware. If your PC is an i7 with strong GPU and SSD, no software will perform bad. If Firefox was slow before, that was likely due to insufficient hardware.
@Iron Heart:
See, this is where I have to ask myself a few things about those using lower end hardware in 2019.
(a) in 2019, no one should be running less than a DuoCore and 8 GB of RAM. That’s current hardware Pretty much the plain and simple of it now. Windows 7 or 8x should be the going systems now (OK Windows 10 too – but I hate it …lol). I’ll let the Linux crowd chime in on their environments.
(b) Don’t say to me “But I can’t afford new hardware”. Off-lease, clearance and second-hand systems are so plentiful, and for soooooo cheap. Like less than $100 bucks. I know there might be exceptions – there always are. But don’t keep an Atom, Duron or P4 going with 4 GB of memory, thinking you should be able to browse TODAY’S web with it.
(c) When you have enough RAM, you shouldn’t be caring about how much a browser uses. Please everyone stop with the nonsense of “Well they should code applications more tightly”. You’re not wrong, but it ain’t EVER EVER gonna happen. With programming interfaces being used to build code upon, no one wants to go back to scratch all over again, so stop wishing for it to happen.
(d) One more thing, if the RAM use is too exhaustive, you can disable e10s and run Quantum in one process. It does reduce RAM use.
Remember, up until a little while ago, I was shit-poor, so if I can mange to obtain a usable machine, then anyone can.
All good points. I wonder, though, if the delays some people experience are due to ads rather than old hardware. I recently had to turn ad blocking off on a family member’s half-decent laptop, only to realize how absurdly slow much of the internet becomes as a result.
Returning to the issue of RAM usage, I’ve got to mention that Firefox processes on my computer are currently using 921 MB. This is for just 5 open tabs and 10 installed extensions (FF v.65) on a Linux laptop with 8 GB RAM. Let us acknowledge that this is a pretty inefficient use of available resources to just show me a couple of Ghacks pages. :) The only saving grace is that most of this RAM use is for the “overhead” of actually running Firefox, meaning that RAM use doesn’t go up dramatically as I open more and more tabs.
Oh well, that’s the same story with all major browsers today.
@Jody Thornton
lol I think your post further strengthen Iron Heart’s point?
Jody Thornton: Quantum runs shit loads better than any Australis build or clone.
Iron Heart: If Firefox was slow before, that was likely due to insufficient hardware.
Jody Thornton: Remember, up until a little while ago, I was shit-poor, so if I can mange to obtain a usable machine, then anyone can.
So the reason your Firefox is much faster now because you obtained usable machine?
@Anonymous wrote ….. “So the reason your Firefox is much faster now because you obtained usable machine?”
Absolutely. It doesn’t help anyone to keep propping up older hardware, when a newer machine is easily and cheaply obtainable.
But even on older hardware (I was comparing Vista and Windows 8 on an HP xw8200 with dual-Xeons (Netburst type)), Quantum was much, much more speedy than Firefox 56 or Pale Moon 28 (in terms of rendering speed.). The only add-ons were uBlock Origin. So ye olde Fox is slower.
The reason I recommend the newer hardware is so that you can always run the newer OS, which is able to run Quantum. Yes, even old Firefox will run faster, but Quantum is loads more stable. Australis fans will try to disagree, but I’ve had no issues with it.
Honestly I’ve seen it run substantially faster in multiple cases, especially when it comes to poorly coded websites or websites that have many different java-script sources built-in. It really starts to add up over time in time saving.
Either way this works just fine with me since I only really use 3 extensions for my browser.