Mozilla Firefox 59.0.1 is a security release

Martin Brinkmann
Mar 16, 2018
Updated • May 22, 2018
Firefox
|
23

Mozilla plans to distribute an update to Firefox's stable channel today that brings the version to Firefox 59.0.1 on the stable channel. Firefox ESR is updated to version 52.7.2.to address the issue as well.

The release comes three days after the release of Firefox 59.0 to the Stable channel.

Update: The release is available and the security advisory page describes the issue as "Out of bounds memory write while processing Vorbis audio data".

While we do know that Firefox 59.0.1 includes security fixes, we don't know the nature of them yet. Mozilla has yet to publish the release notes for Firefox 59.0.1 which will be released here.

Firefox users need to wait a bit longer before Mozilla releases the update. The browser will pick it up through its automatic updating mechanism if it has not been disabled or modified.

Users can run a check for updates with a click on Menu > Help > About Firefox. Firefox should pick up the new version if it is available to download and install it on the computer system.

The release is already on Mozilla's FTP server; download sites have picked it up already and are distributing it. Firefox users need to know, however, that it happened in the past that last minute issues or changes resulted in the release of another build.

Generally speaking, it is not recommended to install unreleased stable builds from Mozilla's FTP server.

While we don't know yet what the security release fixes, one possible explanation is that it addresses issues discovered during the Pwn2Own 2018 hacking content.

Firefox was targeted by Richard Zhu who managed to take full control over Firefox by using an out-of-bounds write in the browser followed by an Integer overflow in the Windows kernel.

All vulnerabilities used or discovered during the event are passed on to the companies that create or maintain the products.

Mozilla would have to have prior knowledge of the issues used to exploit the browser to release a patch on the same day.

The security advisory page has not been updated yet. The release notes may very well only inform users that security vulnerabilities have been patched.

Summary
Mozilla Firefox 59.0.1 is a security release
Article Name
Mozilla Firefox 59.0.1 is a security release
Description
Mozilla plans to distribute an update to Firefox's stable channel today that brings the version to Firefox 59.0.1 on the stable channel.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on March 19, 2018 at 1:45 pm
    Reply

    As I have not modified/added any folder/file in the “apps” folder, before running the PortableApps’ installer I simply delete the “apps” folder. Using this recommended method of course don’t forget to disable completely auto-update. Personally to avoid eventual problems with any firefox.exe continuing to run on background I also disabled the multiprocess feature. Also never install The PortableApps.com Platform.

  2. Sophie said on March 19, 2018 at 11:54 am
    Reply

    Thanks Anonymous……… I do believe you would not indeed experience the issue that I described, if you are in the habit of downloading a new release from PortableApps. I update from the software, but you presumably copy your profile info over to the new install. Perhaps I’ll try that. Thanks.

    1. Anonymous said on March 19, 2018 at 1:49 pm
      Reply

      “app” folder, sorry.

  3. Sophie said on March 17, 2018 at 8:55 am
    Reply

    On a slightly separate note (but in connection with 59.0.1) – and not sure if Martin might know the answer?

    I notice an odd thing. I use only Portable versions of Firefox, be in Quantum or earlier. Until Quantum, copying the entire folder structure to a new PC or a new location would result in a perfect working copy, with profile in tact, ….literally, move it and go!

    But since Quantum, while this ability to move it ‘as is’ still works fine, Quantum insists on reporting that the version has effectively dropped back down to 57.0, even though the files being moved were 58x or even 59x. Its almost as though files are being store elsewhere, outside of the portable folders, and Firefox then needs updating all over again, even though it might have been right up to date, just as it was being copied.

    In pre Quantum days, this never happened, and the version number being reported was the same version number that had just been moved/transferred/copied.

    Odd! Don’t know if anyone else has encountered that? Of course, this will only relate to portable version.

    1. Anonymous said on March 18, 2018 at 10:16 am
      Reply

      I use Quantum from PortableApps and I have not this problem. Never update it with the updater, always download new releases from PortableApps.com. Try to clean your temp folders.

    2. Anonymous Coward said on March 17, 2018 at 8:53 pm
      Reply

      Portable versions are third party builds of Firefox and not supported by Mozilla.
      In fact, the hacks that make it portable are sometimes quite dramatic and sadly have a history of causing crashes and instability that is hard and almost impossible to fix, especially given the limited detail knowledge we have of those hacks.

      The best recommendation is really, not to use a portable build :/

      1. Sophie said on March 18, 2018 at 9:35 am
        Reply

        @ Anon Coward – I can’t say that I agree with this, at least in my experience. I have been using portable versions of software for years, and in the case of Firefox, for as long as I can remember…..many years! They have been incredibly well behaved (perhaps you had a poor experience). Never had a moment of trouble…..and I only asked here, because of this odd anomaly that has crept in since Quantum, but not before it.

      2. ilev said on March 18, 2018 at 7:06 am
        Reply

        I use Firefox portable ESR for years. Never crashed. Just downloaded ver. 52.7.2.

  4. Steve said on March 17, 2018 at 7:25 am
    Reply

    Question to any Mozilla guy out there: Did you fix the webpage rendering problem of 59.0 when hardware acceleration is activated?

    1. Anonymous said on March 17, 2018 at 12:09 pm
      Reply

      That one with Cleartype disabled? Not yet.

      1. Steve said on March 18, 2018 at 5:55 am
        Reply

        Yes, that one, although for me Cleartype didn’t fix it, just turning off hardware acceleration. I guess I will have to wait until 59.0.2.

  5. akira said on March 16, 2018 at 10:47 pm
    Reply

    Really this 59.0.1 has been deployed? Did anybody test it prior to “recommending urgent update”?
    I cant believe this is the way to develop and deploy an application.
    A shame chrome sucks so bad, but you are struggling to be worst!!
    Netscape, come back, please.

    1. Anonymous Coward said on March 17, 2018 at 8:51 pm
      Reply

      Mozilla uses Continuous integration to always have a working build in their version control system. All you need is a new test for the new bug and manual QA to make sure it doesn’t affect anything unexpected.
      With a geo-distributed organization like Mozilla, you can have folks in the US work on the patch and do some over time until folks in Europe wake up to coordinate QA and release management.

    2. TC said on March 17, 2018 at 3:07 pm
      Reply

      You’re complaining because a security fix has been released so fast? lol

  6. leanon said on March 16, 2018 at 7:02 pm
    Reply

    Fixed in Firefox 59.0.1

    2018-08 Out of bounds memory write while processing Vorbis audio data

    Thanks for heads up I would have missed this one.

    https://www.mozilla.org/en-US/firefox/all/

  7. gh said on March 16, 2018 at 5:35 pm
    Reply

    github commit here, 5 hours ago. The title (er “commit msg”?) is “Pwn2Own 2018 chemspill”
    https://github.com/mozilla/foundation-security-advisories

    https://github.com/mozilla/foundation-security-advisories/commit/a105d00a1627b6716373df0505279c23a33a8cbb

    announced: March 16, 2018
    impact: critical
    fixed_in:
    – Firefox 59.0.1
    – Firefox ESR 52.7.2
    title: Out of bounds memory write while processing Vorbis audio data
    advisories:
    CVE-2018-5146:
    title: Out of bounds memory write in libvorbis
    impact: critical
    reporter: Richard Zhu via Trend Micro’s Zero Day Initiative
    description: |
    An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest.
    bugs:
    – url: 1446062
    CVE-2018-5147:
    title: Out of bounds memory write in libtremor
    impact: critical
    reporter: Huzaifa Sidhpurwala
    description: |
    The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms.
    bugs:
    – url: 1446365

    1. leanon said on March 18, 2018 at 8:12 am
      Reply

      Show off

      1. gh said on March 18, 2018 at 10:26 pm
        Reply

        Please understand: When I posted, I believed the detailed information WAS available at the time the article was published. I posted the URLs so that the author could verify (and update the article) (and, in the future, know “where to look” to find pre-press security advisory announcements ~~ on github, instead of waiting for same info to be posted to mozilla website).

      2. leanon said on March 19, 2018 at 1:15 am
        Reply

        heh was just playing @:]

  8. Anonymous said on March 16, 2018 at 5:26 pm
    Reply

    Thanks for the info, I’m waiting to the release on PortableApps.com. Only Firefox 59.0 was released in two weeks, don’t know what is happening on their side?

  9. Tom Hawack said on March 16, 2018 at 4:01 pm
    Reply

    Done.
    To make it short : thanks, Martin. Faster than fast info, as always.

  10. Frederik Braun said on March 16, 2018 at 3:38 pm
    Reply

    > Mozilla would have to have prior knowledge of the issues used to exploit the browser to release a patch on the same day.

    Nah, just fast.

    1. Martin Brinkmann said on March 16, 2018 at 3:45 pm
      Reply

      Now that is impressive, great work.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.