Firefox 74.0.1 Stable out with important security fixes
Mozilla has released a new stable version of the organization's Firefox web browser on April 3, 2020. Firefox 74.0.1 Stable is a security update that patches two critical security vulnerabilities in the browser that are actively exploited in the wild. Mozilla released an update for the Extended Support Release, Firefox ESR, as well to address the vulnerabilities in that browser. Firefox ESR is upgraded to version 68.6.1 and updates are available already.
Firefox users who run the stable version of the web browser should receive update notifications when they start the browser the next time. The process can be expedited either by downloading the new stable release manually from Mozilla's official download site or by selecting Menu > Help > About Firefox to run a manual check for updates.
The release notes have been published already; they list security fixes only and no other changes. Mozilla's Security Advisories site provides additional information on the two vulnerabilities that the organization fixed in the new Firefox release:
- CVE-2020-6819: Use-after-free while running the nsDocShell destructor -- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
- CVE-2020-6820: Use-after-free when handling a ReadableStream -- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
It is unclear how these vulnerabilities can be exploited, only that attacks happen right now that exploit them. ReadableStream is used to read data streams, nsDocShell's issue seems to have been caused by data not being released properly.
Firefox users are encouraged to update the web browser as soon as possible to protect it from these attacks.
One of the researchers who reported the issues to Mozilla revealed on Twitter that the discovered issues might affect other browsers as well. He praised Mozilla for patching the vulnerability quickly. Whether other browsers means other Firefox-based browsers or non-Firefox browsers is unknown.
Now You: Have you updated your browser already?
FF 74.0.1 is almost a pointless update as FF 75.0 will be due out tomorrow April 7
After updating I have to login to every site that requires this. My login info is saved and available, but I cannot login automatically as before. When will I ever learn that if it’s working, don’t mess with it.
It is a security update. No “”feature”” was added.
Sorry for the off-topic, but 24 hours and no Iron Heart or Yuliya comments!!!!!
@Celebrate
I thought that you would miss me. But rest assured, the next Mozillian breach of privacy is just around the corner – it’s just that not every single update happens to be one.
PS: Your apparent inability to deal with differing opinions is pretty sad to look at.
@Iron Heart: I’m personally on the fence regarding both Brave and Firefox, but am genuinely curious – what do you think of Edge Chromium? As evil as Chrome? Better? Worse?
@ShintoPlasm
MS Edge is as evil or worse than Chrome. It sends a “unique hardware identifier” to MS which “persists across installations”, something which not even Chrome does, in addition to having the same privacy issues of Chrome, this was covered here:
https://www.ghacks.net/2020/02/25/study-finds-brave-to-be-the-most-private-browser/
If you ask me, the only browsers worth using, in terms of privacy, are:
– Ungoogled Chromium (probably the best on desktop)
– Bromite (probably the best on mobile)
– Brave (desktop and mobile)
– Pale Moon
– Basilisk
– Waterfox (got bought by an ad company, so might take a turn for the worse, it’s good so far)
– Firefox (heavily configured)
Iridium and IceCat are good in terms of privacy as well, but don’t get updated often, leaving you exposed to security issues, so I don’t recommend them.
Don’t even bother with:
– Chrome
– MS Edge
– Opera
– Internet Explorer
– Vivaldi (partially closed source, unique ID)
– Yandex
– Firefox (as configured out of the box)
—-
If you want to bother with Firefox, then the gHacks-user.js is a a resource you should check out. Implement all or most of its changes depending on your personal preferences, and Firefox will be fairly or even very private. The default configuration is just bad and gets worse as far as I can see. Brave has good out of the box privacy settings (still, go into its settings menu to check out if you are satisfied with its settings), better than Firefox in any case.
Some extensions which I consider necessary in any browser are:
– uBlock Origin, or Nano Adblocker (also in Brave, for custom element blocking in general and because Brave’s adblocker doesn’t block first party ads)
– Nano Defender (hides the adblocker from websites that would otherwise complain about it)
– Decentraleyes
– HTTPS Everywhere (except in Brave, as Brave has that built-in already)
– Cookie AutoDelete
Privacy Badger is made redundant by uBlock Origin, uMatrix is mostly made redundant if you run uBlock Origin in medium settings. Hope this info is helpful to you.
Is this what the update to Firefox for Android (the stable version using Fennec and Firefox ESR as a base while they work towards getting Fenix ready to replace it) this morning was all about?
When I upgraded, there were no release notes for it on the official Mozilla website.
Awesome. No website works after this update. Nothing happens.
Tried clearing cache. Still nothing.
@Gabriel – Are you using uMatrix? There’s a bug. To temporarily fix it you have to go to the Assets Tab, Uncheck a Hosts File, Save Changes, then check that same Host File, Save Changes.
There will be a uMatrix update soon to fix it.
Yup. That was the issue Rick!
Thanks so much!
@Gabriel – No problem.
https://archive.mozilla.org/pub/firefox/releases/74.0.1/
Not updating. It messes up my FF setup, mainly ‘Tabs on Bottom’
still usin FF51 and will continue to choose
my own TLS settings; Ya know it?
the update with the fix got deployed fast on any major os, but the major linux distros and their repos, are lagging behind again for hours!
I use Arch BTW… Ubuntu’s too busy trying to convert the deb to flabbysnap ZZZZZZZZZZZzzzzz.
Linux has a 1.8% market share so yea.
I feel more secure already.
(that’s sarcasm)
think i lost my pinned firefox taskbar icon after this update…
Mozilla has not re-enabled TLS 1.0 and 1.1 in this latest Firefox 74.0.1 :
security.tls.version.min remains at 3 (Minimum TLS = 1.2)
The preference change may have been remotely applied to Firefox 74 but 74.0.1 doesn not include it. I wasn’t affected by the remote change given that Mozilla remote updates don’t apply here.
My Min is still – 1 – Max is – 4 –
@CraigS26, that’s likely because your TLS settings had been remotely changed under FF74.0, in which case they’d prevail on Firefox’s default settings… I guess. TLS max is not concerned.
Have a look at your security.tls.version.min in about:config, is it in bold? If so, right-click and choose ‘Reset’.
Important security updates in this version.
I guess we can expect several days wait for it to trickle into the Ubuntu repositories, like usual. Sigh.
Lolwut? Fedora user here, but I’m pretty sure Firefox security fixes are uploaded to the Ubuntu repos in hours, and this includes the LTS repos for those of you who like moss-grown versions. Wait, isn’t Ubuntu all snap packages these days anyway?
Had it day one on Windoze. ;-)
On Debian is usually the same day when Firefox ESR lands into unstable and stable distribution.