Firefox 62.0.3 is a security update - gHacks Tech News

Firefox 62.0.3 is a security update

Mozilla released Firefox 62.0.3 to the Stable channel of the web browser on October 2, 2018. The new version of the Firefox web browser is a security update first and foremost; it does include playback and freeze fixes for Mac OS X Mojave next to that.

The update is already in distribution which means that most Firefox installations should pick it up automatically.

Firefox's automatic update system checks for updates frequently and if it finds a new update, installs it automatically. Firefox users who have blocked automatic updates need to run a manual check for updates or download the Firefox installer manually to install it on their devices.

Select Menu > Help > About Firefox to run a manual check for updates in the browser. The popup that opens displays the installed version as well.

We suggest you use the offline installer for that but the stub installer may work as well. The main differences between the two are that the offline installer includes everything that is required to install or update Firefox, and that it will always install a specific version of the browser.

Firefox 62.0.3

firefox 62.0.3

Firefox 62.0.3 is a security update for Firefox that fixes two critical security vulnerabilities in Firefox that affect Stable and ESR versions of the browser.

CVE-2018-12386 and CVE-2018-12387 are two critical security issues that affect the sandboxed content process and may be exploited to execute code remotely.

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

The vulnerability affects Firefox 62.0.2 and earlier versions of the browser and Firefox 60.2.1 ESR and earlier.

Firefox 62.0.3 fixes two Mac OS X related issues next to that.

Users who upgraded their Mac devices to the new operating system version Mojave may have experienced hangs and freezes in Firefox when certain dialogs such as download, upload, or print are activated in the browser UI.

The second issue fixes playback of certain encrypted video streams on Mac OS X.

Mozilla released Firefox 62.0.2 for all supported operating systems as well which addressed a large number of issues and a security issue.

Summary
Firefox 62.0.3 is a security update
Article Name
Firefox 62.0.3 is a security update
Description
Mozilla released Firefox 62.0.3 to the Stable channel of the web browser on October 2, 2018. Firefox ESR was also updated to ESR 60.2.2.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Paul(us0 said on October 3, 2018 at 1:22 pm
    Reply

    Thanks, Martin, For letting me know. I personally always appreciate update explanatory articles.

    1. Yuliya said on October 3, 2018 at 1:28 pm
      Reply

      It’s my only way of knowing when these updates arrive since I blocked mozilla’s domains (:

      1. Jody Thornton said on October 3, 2018 at 3:58 pm
        Reply

        I’ve also turned off Mozilla Maintenance Service. I just just for updates under Help->About, and press “Check for Updates”

        On that topic, I’m on v60.2.2 ESR which was also issued last night. I could not be happier with Quantum. Performance is awesome, and no I’m the furthest thing from a Mozilla fanboy. In fact, life with Quantum is by no means perfect. I wish there was an add-on for a Downloads Window, and I wish I could have a status bar, with a progress bar.

        But I’ll live :)

      2. michlind said on October 3, 2018 at 7:34 pm
        Reply

        Indeed! What would be the inane reason for removing download progress bar? I don’t know how many times I end up with duplicate downloads cuz I didn’t see any indication that a download even started/finished. Now after clicking on most small fast downloads I have to minimize Firefox to see if it’s on my Desktop.

      3. Anonymous said on October 5, 2018 at 6:05 am
        Reply

        Because the download speed at Mozilla HQ is so fast you don’t need progress bar

  2. Thorky said on October 3, 2018 at 3:18 pm
    Reply

    @Yuliya
    Why did you do so? :)

    1. Yuliya said on October 3, 2018 at 9:02 pm
      Reply

      In-browser offered configuration is not reliable against Mozilla’s telemetry.

      1. Richard Allen said on October 4, 2018 at 4:56 pm
        Reply

        @Yuliya

        You are of course exaggerating. Again. I’m absolutely not seeing any unwanted telemetry from any of my 3 FF/Nightly profiles, without having to block any domains.

      2. Yuliya said on October 4, 2018 at 5:44 pm
        Reply

        And I have seen in the course of three days, less actually, two different extensions installed without my consent and hidden within Firefox’s UI which were sending my data to some mozilla owned server. No, I don’t think this is an exageration on my part, this is an exageration on mozilla’s end forcing telemetry on me, despite the fact that I explicitely opted out of any telemetry and tests. I could not remove those two addons, they were coming back with every browser restart. It has happened at least three times in a row, until I decided to block Firefox’s access from the “feaures” folder inside my profile. And it happened on two different instances, both on a Windows 7 PC and a LTSB1607 VM.

        This is not acceptable behaviour. I was not announced or even aware of this happening. I spotted them in CCleaner.

        No. In-browser configuration SHOULD NOT, UNDER ANY CIRCUMSTANCE, BE TRUSTED, when it comes to Firefox.

        Blocking these domains is the only way of keeping mozilla’s malware off my computer:

        0.0.0.0 activations.cdn.mozilla.net
        0.0.0.0 aus5.mozilla.org
        0.0.0.0 crash-stats.mozilla.com
        0.0.0.0 detectportal.firefox.com
        0.0.0.0 experiments.mozilla.org
        0.0.0.0 fhr.cdn.mozilla.net
        0.0.0.0 getpocket.cdn.mozilla.net
        0.0.0.0 incoming.telemetry.mozilla.org
        0.0.0.0 input.mozilla.org
        0.0.0.0 install.mozilla.org
        0.0.0.0 onyx_tiles.stage.mozaws.net
        0.0.0.0 qsurvey.mozilla.com
        0.0.0.0 search.services.mozilla.com
        0.0.0.0 self-repair.mozilla.org
        0.0.0.0 telemetry.mozilla.org
        0.0.0.0 telemetry-experiment.cdn.mozilla.net
        0.0.0.0 tiles.services.mozilla.com
        0.0.0.0 token.services.mozilla.com

        The two offending extension-type of malware were called “fxmonitor@mozilla.org.xpi” and “telemetry-coverage-bug1487578@mozilla.org.xpi”.

        I have never seen in my entire life such hostile behaviour from any software which I’m using like I’ve seen from Mozilla. No other browser or piece of software which I’m using has ever installed anything without my clear consent or knowledge.

        I don’t consider this acceptable and I certainly don’t consider this kind of behaviour should be acceptable or defended. Especially when the company makes such bo;d claims and so much fuss about how much they care about user’s privacy. They don’t. They are not any better than Google or the likes.

        Even their “privacy focused” browser on ANdroid, called Firefox Focus, sends everything to a company called Adjust Gmbh on top of using other techniques of making you easily identifiable.

        Sorry, but this company sits on the top of a pile of lies. The day this company vanishes, and at the current rate it will be sonner rather than later, will be a good day for a true competitor of Chromium to come. Maybe one which will indeed care about user’s privacy, not just lie about this.

      3. Yuliya said on October 4, 2018 at 6:06 pm
        Reply

        Incidentally, the day I have added those domains to my hosts file, the constant CPU usage coming from the Firefox’s process, a problem which appeared with Firefox 57, and I initially thought it was due to Mozilla’s developers incompetence of making a decent product and attributed them to memory management issues/leaks, have gone away.

        Chances are mozilla really was mining cryptocurrency on my machine afterall, and that has dealt with this issue.

      4. Richard Allen said on October 4, 2018 at 6:20 pm
        Reply

        The Telemetry plugin that was installed along with the FX Monitor plugin was sent to 1% of English speaking users in the United States. Or at least that’s what I heard. My Firefox “Test” profile was actually selected in that 1%. To be clear, I don’t like that they installed the telemetry plugin but I can understand it. And I don’t see the plugin as ever being malicious but instead as being a stupid thing to do that pissed off the user base. Their need to know the extent of users with disabled telemetry was more important to them than all of us not wanting to participate, not that I agree or condone it. But… 1% of US users, ONE percent. I’m not seeing any unwanted telemetry going to Mozilla from profiles I don’t want sending telemetry.

        I still don’t know what your malfunction was with uninstalling the plugins because unlike you I uninstalled FX Monitor and the Telemetry plugin TWO different times without it ever mysteriously reinstalling itself. The first time I uninstalled them I had to reinstall a backup of my profile to get the plugins back because I wasn’t done experimenting with them. And since then, I’ve now had FX Monitor and the Telemetry plugin removed from my “Test” profile for about two weeks now without it ever once reappearing.

        Mozilla was mining cryptocurrency? LMAO Whatever. LoL

      5. Yuliya said on October 4, 2018 at 7:45 pm
        Reply

        What does “1% of US users” has to do with me? I don’t live in the US. I think you’ve heard it wrong.

        I have no other explanation for two Broadwell-E cores at 3,5GHz almost fully used only by firefox.exe with no tabs open and supposedly idling. Do you?

      6. Richard Allen said on October 4, 2018 at 8:57 pm
        Reply

        No, I haven’t heard wrong but I did round it up to 1%. Are you using a VPN? If you are it might explain why you got those addons.

        FX Monitor:
        “Mozilla plans to roll out the feature to [EN-US users of Firefox only during initial launch]. The organization plans to enable the feature for 0.5% of EN-US users initially on September 5, 2018.”
        “https://www.ghacks.net/2018/08/25/firefox-62-firefox-monitor-system-add-on-integration/”

        Telemetry-off:
        “Mozilla created the Telemetry Coverage system add-on and [distributed it to 1% of the Firefox population].”
        “https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-firefoxs-telemetry-off-population/”

        “I have no other explanation for two Broadwell-E cores at 3,5GHz almost fully used only by firefox.exe with no tabs open and supposedly idling. Do you?”

        Seriously?

        If you fall victim to malware you don’t really expect to see it using notepad.exe do you. Same thing with cryptominers. Duh! Hey, you asked! :)l

        I keep track of my system resource usage more than anyone I know, not 24 hrs a day but pretty much everyday. And I would hear at least one of my 6 fans inside my tower ramp up if cpu usage was high, the damn thing is right next to me and stays quiet until my Data (E:) hard drive starts up. And I also very often check my hardware temps. OCD! ;) I would absolutely notice if usage was ever high and I Never Ever, ever see anything abnormal when it’s supposed to be idling. And I absolutely never saw any abnormal resource usage when I had the FX Monitor and the Telemetry addons installed. The fact that you are seeing that proves to me you got more going on than just Firefox. Deny it at your own peril. ;)

      7. Yuliya said on October 4, 2018 at 9:21 pm
        Reply

        No VPN. What malware? Where from? That LTSB1607 VM has less than 2 hours up time combined. I installed it, configured it, then frozen it. Windows 7 host barely has 10 programs installed, most of which are extremely basic tools like 7zip and VLC. Both operating systems are perfectly clean.

      8. Richard Allen said on October 4, 2018 at 9:28 pm
        Reply

        “Both operating systems are perfectly clean.”

        Obviously not. “Something” has caused you to have a completely different experience with FF than what I’m seeing.

        “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.”. LoL

      9. Yuliya said on October 4, 2018 at 9:35 pm
        Reply

        I don’t know. Hundreds of comments on reddit, even from people running it on Linux, seem to have gone through exact same issues at the same time as myself. The machine clearly isn’t at fault, everything else runs perfectly, every other browser. And the CPU usage issue suddenly stopped once I blocked mozilla’s domains. It’s not too difficult to pinpoint the culprit.

      10. Richard Allen said on October 4, 2018 at 9:41 pm
        Reply

        I can only comment on how well it’s running on my Win7 system and just say that FF puts a major beat down on Chrome Dev, Pale Moon, Waterfox and Vivaldi. The only other thing I can say is that I’m glad to not be on Windows 10. HaHa

      11. Yuliya said on October 4, 2018 at 9:58 pm
        Reply

        Yeah, fast or not I need to run other programs too on this machine. I can’t have Firefox take all the cores for itself just because mozilla decided to target me with their malware extensions.

      12. Richard Allen said on October 4, 2018 at 10:49 pm
        Reply

        I don’t see either one of them as being malware. But, that’s okay, I realize exaggeration is a thing with you. :)

        And, like I’ve mentioned, I had both extensions installed on my system without FF using any abnormal resources. And using FF in Linux Mint with VirtualBox is working fine for me. I guess it sucks to be you. :p

      13. Yuliya said on October 4, 2018 at 11:45 pm
        Reply

        They got in my system without my knowledge and sent data without my consent to mozilla. That’s malware, there is no other name for it. And it further proves how mozilla is capable of installing and altering the browser in any way they want regardless of your configuration, which is worrying and a sign their products should not be trusted.

      14. gwacks said on October 5, 2018 at 3:07 am
        Reply

        @Richard Allen
        Don’t feed this troll, dude. Just leave her alone and let her use chinese beautiful “non-malware” Chrome-shell browsers then she gonna know the truth and shut up.

  3. 420 said on October 3, 2018 at 5:03 pm
    Reply

    After the telemetry disabled and that other sneaky plugin I did not ask for I decided to stop using firefox and now use waterfox, if you have to fight with your software for control, it’s time to stop using it. Fucking idiots at mozilla, I used firefox since the beginning and they think it is ok to screw around with hidden shit, that you can’t get rid of. That is the definition of malware.

    1. Satania said on October 3, 2018 at 9:12 pm
      Reply

      Lol k

    2. Walz said on October 3, 2018 at 9:32 pm
      Reply

      What other sneaky plugin ? Please name it.

    3. noemata said on October 4, 2018 at 8:22 am
      Reply

      @420 what are you talking about? please name the “plugin” (?) – to hell. about:plugins?

      OpenH264 Video Codec provided by Cisco Systems, Inc. ?
      Widevine Content Decryption Module provided by Google Inc. ?

      what?

  4. 420 said on October 3, 2018 at 10:21 pm
    Reply

    The point is now they can figure out that I am not using their telemetry software, because I uninstalled their program completely. Don’t need a plugin I can’t get rid of to tell them that. Fucking idiots.

    1. Richard Allen said on October 4, 2018 at 4:50 pm
      Reply

      “Don’t need a plugin I can’t get rid of”

      What plugin is that? I’ve been using Firefox for over 10 years and have Never ever seen a plugin that I couldn’t remove. If you’re talking about the telemetry plugin, I actually saw it in one of my profiles over a month ago and had zero problems removing it once I decided I was done with it. What was your malfunction?

      I honest to God don’t care what browser anyone uses. You can use Safari on Windows for all I care, and I won’t say anything about it. Hell, I have six different browsers (8 profiles) installed so I’m not exactly closed minded about it. But since you feel the need to troll a Firefox article about security updates praising the virtue of WF let’s talk about Waterfox!

      I think it’s more than just a little ironic that you’re whining about FF in an article about security updates while you praise Waterfox and completely ignore it’s security update failures. How many security updates does Waterfox have to fall behind in comparison to FF before the average user should be concerned? One? Two? Three? How many security updates is Waterfox now missing?

      And I’m never surprised when Waterfox “enthusiasts” rarely if ever want to talk about how far behind in performance WF actually is when compared to FF. These will be the same people who swear that webrender is making a huge difference in WF v56 for them. Go ahead and tell me about it! LoL! I actually have WF installed, with two different profiles and can see how they compare side by side with FF so go ahead and make your claims.

      I’m not going to mention the Always slower browser startup. The Always slower page load times. The Always slower graphics rendering. The Always higher memory usage when using the same number of web content processes. I also won’t mention that Legacy addons will rarely if ever be updated, ever again. Which reminds me of the uBlock Origin Legacy version which is arguably the most important extension for many people, is it Ever going to see the new “Per-site JavaScript master switch” that the webext version has now? But goat head, keep praising the virtues of WF.

      There is not a single thing that WF does that a FF user is unable to do themselves by unchecking a couple boxes and deleting a folder. The uninformed claiming that WF is a “privacy hardened fork of FF” is just that, uninformed ignorance. Was that redundant? LoL

    2. Walz said on October 4, 2018 at 10:56 pm
      Reply

      Again, why can’t you answer a simple question ? Put your facts and names on the table or be quiet.

  5. rick-oz said on October 4, 2018 at 2:20 am
    Reply

    @Jody @ Minchlind https://addons.mozilla.org/en-US/firefox/addon/s3download-statusbar/

    Markus ,if the box below is not checked when writing a post it gives a new page error , go back <<BUT all data is lost , too bad if you have written 20 lines or more,surely that can be improved

  6. 420 said on October 5, 2018 at 3:55 am
    Reply

    The two extensions (sorry for calling them plugins were same as yuliya had

    1.fxmonitor@mozilla.org.xpi

    2.telemetry-coverage-bug1487578@mozilla.org.xpi

    it does not matter to me that you are so great and uninstalled them with no problem, I had problems and do not like finding hidden shit that I (me not you) cannot get rid of. As far as praising waterfox, I never praised waterfox but I am pretty sure they would not abuse their privileges and install hidden shit on my pc that keeps coming back. Furthermore why the hell do I have to explain myself?

    1. Richard Allen said on October 5, 2018 at 12:24 pm
      Reply

      I had the same two addons and managed not to have any problems in any way with both of them. I wasn’t looking over your shoulder so I can’t explain what your particular malfunction was but… maybe I was somehow less incompetent? I only know that I had zero problems.

      You and Yuliya can both keep repeating your malware fairy tale and based on my experience on my hardware that’s exactly what it looks like to Me, a fairy tale, and I’ll keep responding with my observations and experiences using FF.

      If you leave a comment why would you ever be surprised to see a reply from someone with a completely different experience than yours? Get over it, it’s not like we’re going to be singing Kumbayah what with all your “hidden shit” and repeated “fucking idiots”, not interested in any explanations.

  7. Hy said on October 5, 2018 at 3:54 pm
    Reply

    Within 12 hours or so of being updated to 62.0.3 I experienced some hanging with FF. It happened when selecting “Clear History” in settings. Then very shortly after the entire program froze, so I tried in safe mode and the clear history problem was still there, so I did a clean uninstall and reinstall of the full program, and then another one after that. There haven’t been any program freezes since then (24 hours or so), but FF still hangs when clearing history. What used to take a few seconds now takes close to a full minute!

    In researching the hanging problem I saw on another tech site–might have been techdows or something similar–that FF 62.0.3 (or 62.0.2?) contained “improvements to clearing local storage” or something like that. Of course seeing this makes me think that if something has been done by Mozilla to the “clear history” process then that is what is now likely causing it to suddenly function so much differently. As I said, “clear history” used to take a few seconds and now takes close to a full minute! Oh, and during that time I think the program briefly shows “not responding.”

    Posting here in case anyone else experiences this…

    1. Hy said on October 6, 2018 at 8:12 am
      Reply

      Update: the first uninstall-reinstall I did was with the full version of 62.0.3. When the hanging problem persisted, I did a second clean uninstall-reinstall, and used the full version of 62.0 I had. The hang when clearing history persisted, which I couldn’t understand.

      Today FF automatically updated itself to 62.0.3, and now clear history is working correctly again! What’s happened with this these last few days doesn’t make sense to me but at least “clear history” is working correctly again. But one thing I noticed after today’s auto-update to 62.0.3: it changed a number of my settings in the process! It changed some of my about:config modifications back to their default, re-enabling Pocket, and disabling security.OCSP.require, for example. Under Settings, Home, Firefox Home Content it had checked and selected all of the boxes there, when I had had them all unchecked previously. And under Privacy and Security it had checked “Autofill addresses,” which I had unchecked.

      I don’t recall an FF update changing my preferences like this before. So after updating to FF 62.0.3 it’s worth having a look in your settings and in about:config and making sure everything is set up and configured the way you had it prior to the update!

      P.S. Note to Martin: today my earlier post above took well over 12 hours to appear!

  8. Unmozillad said on October 6, 2018 at 12:16 am
    Reply

    Richard Allen appears like a Mozilla supporter, paid for any comment he makes.

    Sad!

  9. Martin Turner said on October 6, 2018 at 5:34 am
    Reply

    I use Patch My PC for outdated applictions

  10. anonymous said on October 8, 2018 at 12:31 am
    Reply

    The bookmarks are still not autocompleting on 62.0.3 on linux.

  11. Nicolas Fonteneau said on October 13, 2018 at 6:29 pm
    Reply

    Hello there,

    I need some help: since this update, I cannot manage to access some websites, including Facebook and Gmail. I have tried deleting the cookies and the cache, but it won’t change anything. The firewall is ok, nothing weird here, and Kaspersky Internet Security has not done anything either.

    No matter what I have tried so far, I always end up with the following message:

    Secure Connection Failed

    The connection to the server was reset while the page was loading.

    * The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    * Please contact the website owners to inform them of this problem.

    Does anyone have a clue of how to help me out please? Thank you for your time.

    1. doomon said on October 19, 2018 at 8:23 am
      Reply

      Same problem here. Everything works in other browsers, tried disable all addons – did not help.

  12. Anonymous said on October 17, 2018 at 5:36 pm
    Reply

    I am trying to update FIrefox through SCCM but am unable to do so. Any suggestions?

    1. Hy said on October 19, 2018 at 3:55 am
      Reply

      Anonymous said: “I am trying to update FIrefox through SCCM but am unable to do so. Any suggestions?”

      I’m not familiar at all with SCCM, but another way to update programs like Firefox is to use Ninite.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.