Mozilla Firefox 59.0.1 is a security release
Mozilla plans to distribute an update to Firefox's stable channel today that brings the version to Firefox 59.0.1 on the stable channel. Firefox ESR is updated to version 52.7.2.to address the issue as well.
The release comes three days after the release of Firefox 59.0 to the Stable channel.
Update: The release is available and the security advisory page describes the issue as "Out of bounds memory write while processing Vorbis audio data".
While we do know that Firefox 59.0.1 includes security fixes, we don't know the nature of them yet. Mozilla has yet to publish the release notes for Firefox 59.0.1 which will be released here.
Firefox users need to wait a bit longer before Mozilla releases the update. The browser will pick it up through its automatic updating mechanism if it has not been disabled or modified.
Users can run a check for updates with a click on Menu > Help > About Firefox. Firefox should pick up the new version if it is available to download and install it on the computer system.
The release is already on Mozilla's FTP server; download sites have picked it up already and are distributing it. Firefox users need to know, however, that it happened in the past that last minute issues or changes resulted in the release of another build.
Generally speaking, it is not recommended to install unreleased stable builds from Mozilla's FTP server.
While we don't know yet what the security release fixes, one possible explanation is that it addresses issues discovered during the Pwn2Own 2018 hacking content.
Firefox was targeted by Richard Zhu who managed to take full control over Firefox by using an out-of-bounds write in the browser followed by an Integer overflow in the Windows kernel.
All vulnerabilities used or discovered during the event are passed on to the companies that create or maintain the products.
Mozilla would have to have prior knowledge of the issues used to exploit the browser to release a patch on the same day.
The security advisory page has not been updated yet. The release notes may very well only inform users that security vulnerabilities have been patched.
> Mozilla would have to have prior knowledge of the issues used to exploit the browser to release a patch on the same day.
Nah, just fast.
Now that is impressive, great work.
To make it short : thanks, Martin. Faster than fast info, as always.
Thanks for the info, I’m waiting to the release on PortableApps.com. Only Firefox 59.0 was released in two weeks, don’t know what is happening on their side?
github commit here, 5 hours ago. The title (er “commit msg”?) is “Pwn2Own 2018 chemspill”
announced: March 16, 2018
– Firefox 59.0.1
– Firefox ESR 52.7.2
title: Out of bounds memory write while processing Vorbis audio data
title: Out of bounds memory write in libvorbis
reporter: Richard Zhu via Trend Micro’s Zero Day Initiative
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
– url: 1446062
title: Out of bounds memory write in libtremor
reporter: Huzaifa Sidhpurwala
The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.
– url: 1446365
Please understand: When I posted, I believed the detailed information WAS available at the time the article was published. I posted the URLs so that the author could verify (and update the article) (and, in the future, know “where to look” to find pre-press security advisory announcements ~~ on github, instead of waiting for same info to be posted to mozilla website).
heh was just playing @:]
Fixed in Firefox 59.0.1
2018-08 Out of bounds memory write while processing Vorbis audio data
Thanks for heads up I would have missed this one.
Really this 59.0.1 has been deployed? Did anybody test it prior to “recommending urgent update”?
I cant believe this is the way to develop and deploy an application.
A shame chrome sucks so bad, but you are struggling to be worst!!
Netscape, come back, please.
You’re complaining because a security fix has been released so fast? lol
Mozilla uses Continuous integration to always have a working build in their version control system. All you need is a new test for the new bug and manual QA to make sure it doesn’t affect anything unexpected.
With a geo-distributed organization like Mozilla, you can have folks in the US work on the patch and do some over time until folks in Europe wake up to coordinate QA and release management.
Question to any Mozilla guy out there: Did you fix the webpage rendering problem of 59.0 when hardware acceleration is activated?
That one with Cleartype disabled? Not yet.
Yes, that one, although for me Cleartype didn’t fix it, just turning off hardware acceleration. I guess I will have to wait until 59.0.2.
On a slightly separate note (but in connection with 59.0.1) – and not sure if Martin might know the answer?
I notice an odd thing. I use only Portable versions of Firefox, be in Quantum or earlier. Until Quantum, copying the entire folder structure to a new PC or a new location would result in a perfect working copy, with profile in tact, ….literally, move it and go!
But since Quantum, while this ability to move it ‘as is’ still works fine, Quantum insists on reporting that the version has effectively dropped back down to 57.0, even though the files being moved were 58x or even 59x. Its almost as though files are being store elsewhere, outside of the portable folders, and Firefox then needs updating all over again, even though it might have been right up to date, just as it was being copied.
In pre Quantum days, this never happened, and the version number being reported was the same version number that had just been moved/transferred/copied.
Odd! Don’t know if anyone else has encountered that? Of course, this will only relate to portable version.
Portable versions are third party builds of Firefox and not supported by Mozilla.
In fact, the hacks that make it portable are sometimes quite dramatic and sadly have a history of causing crashes and instability that is hard and almost impossible to fix, especially given the limited detail knowledge we have of those hacks.
The best recommendation is really, not to use a portable build :/
I use Firefox portable ESR for years. Never crashed. Just downloaded ver. 52.7.2.
@ Anon Coward – I can’t say that I agree with this, at least in my experience. I have been using portable versions of software for years, and in the case of Firefox, for as long as I can remember…..many years! They have been incredibly well behaved (perhaps you had a poor experience). Never had a moment of trouble…..and I only asked here, because of this odd anomaly that has crept in since Quantum, but not before it.
I use Quantum from PortableApps and I have not this problem. Never update it with the updater, always download new releases from PortableApps.com. Try to clean your temp folders.
Thanks Anonymous……… I do believe you would not indeed experience the issue that I described, if you are in the habit of downloading a new release from PortableApps. I update from the software, but you presumably copy your profile info over to the new install. Perhaps I’ll try that. Thanks.
“app” folder, sorry.
As I have not modified/added any folder/file in the “apps” folder, before running the PortableApps’ installer I simply delete the “apps” folder. Using this recommended method of course don’t forget to disable completely auto-update. Personally to avoid eventual problems with any firefox.exe continuing to run on background I also disabled the multiprocess feature. Also never install The PortableApps.com Platform.