Firefox 74.0.1 Stable out with important security fixes - gHacks Tech News

ADVERTISEMENT

Firefox 74.0.1 Stable out with important security fixes

Mozilla has released a new stable version of the organization's Firefox web browser on April 3, 2020. Firefox 74.0.1 Stable is a security update that patches two critical security vulnerabilities in the browser that are actively exploited in the wild. Mozilla released an update for the Extended Support Release, Firefox ESR, as well to address the vulnerabilities in that browser. Firefox ESR is upgraded to version 68.6.1 and updates are available already.

Firefox users who run the stable version of the web browser should receive update notifications when they start the browser the next time. The process can be expedited either by downloading the new stable release manually from Mozilla's official download site or by selecting Menu > Help > About Firefox to run a manual check for updates.

firefox 74.0.1

The release notes have been published already; they list security fixes only and no other changes. Mozilla's Security Advisories site provides additional information on the two vulnerabilities that the organization fixed in the new Firefox release:

  • CVE-2020-6819: Use-after-free while running the nsDocShell destructor -- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
  • CVE-2020-6820: Use-after-free when handling a ReadableStream -- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.

It is unclear how these vulnerabilities can be exploited, only that attacks happen right now that exploit them. ReadableStream is used to read data streams, nsDocShell's issue seems to have been caused by data not being released properly.

Firefox users are encouraged to update the web browser as soon as possible to protect it from these attacks.

One of the researchers who reported the issues to Mozilla revealed on Twitter that the discovered issues might affect other browsers as well. He praised Mozilla for patching the vulnerability quickly. Whether other browsers means other Firefox-based browsers or non-Firefox browsers is unknown.

Now You: Have you updated your browser already?

Summary
Firefox 74.0.1 Stable out with important security fixes
Article Name
Firefox 74.0.1 Stable out with important security fixes
Description
Mozilla has released a new stable version of the organization's Firefox web browser on April 3, 2020. Firefox 74.0.1 Stable is a security update that patches two critical security vulnerabilities in the browser that are actively exploited in the wild.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. I AM NOT A MERRY MAN! said on April 4, 2020 at 8:53 am
    Reply

    Important security updates in this version.

    I guess we can expect several days wait for it to trickle into the Ubuntu repositories, like usual. Sigh.

    1. pioruns said on April 4, 2020 at 11:10 am
      Reply

      On Debian is usually the same day when Firefox ESR lands into unstable and stable distribution.

    2. Chris said on April 5, 2020 at 4:40 am
      Reply

      Had it day one on Windoze. ;-)

    3. Matti said on April 5, 2020 at 7:00 pm
      Reply

      Lolwut? Fedora user here, but I’m pretty sure Firefox security fixes are uploaded to the Ubuntu repos in hours, and this includes the LTS repos for those of you who like moss-grown versions. Wait, isn’t Ubuntu all snap packages these days anyway?

  2. Tom Hawack said on April 4, 2020 at 9:36 am
    Reply

    Mozilla has not re-enabled TLS 1.0 and 1.1 in this latest Firefox 74.0.1 :
    security.tls.version.min remains at 3 (Minimum TLS = 1.2)

    The preference change may have been remotely applied to Firefox 74 but 74.0.1 doesn not include it. I wasn’t affected by the remote change given that Mozilla remote updates don’t apply here.

    1. CraigS26 said on April 4, 2020 at 2:06 pm
      Reply

      My Min is still – 1 – Max is – 4 –

      1. Tom Hawack said on April 4, 2020 at 4:39 pm
        Reply

        @CraigS26, that’s likely because your TLS settings had been remotely changed under FF74.0, in which case they’d prevail on Firefox’s default settings… I guess. TLS max is not concerned.
        Have a look at your security.tls.version.min in about:config, is it in bold? If so, right-click and choose ‘Reset’.

  3. ewts said on April 4, 2020 at 11:23 am
    Reply

    think i lost my pinned firefox taskbar icon after this update…

  4. Larry Appleton said on April 4, 2020 at 12:28 pm
    Reply

    I feel more secure already.

    (that’s sarcasm)

  5. samuel baiden said on April 4, 2020 at 2:55 pm
    Reply

    the update with the fix got deployed fast on any major os, but the major linux distros and their repos, are lagging behind again for hours!

    1. Trey said on April 4, 2020 at 8:17 pm
      Reply

      Linux has a 1.8% market share so yea.

    2. Anonymous said on April 4, 2020 at 11:22 pm
      Reply

      I use Arch BTW… Ubuntu’s too busy trying to convert the deb to flabbysnap ZZZZZZZZZZZzzzzz.

  6. 11r20 said on April 4, 2020 at 4:47 pm
    Reply

    still usin FF51 and will continue to choose
    my own TLS settings; Ya know it?

  7. Anonymous said on April 4, 2020 at 5:11 pm
    Reply

    Not updating. It messes up my FF setup, mainly ‘Tabs on Bottom’

  8. Gabriel said on April 4, 2020 at 10:41 pm
    Reply

    Awesome. No website works after this update. Nothing happens.
    Tried clearing cache. Still nothing.

    1. Rick A. said on April 5, 2020 at 10:49 am
      Reply

      @Gabriel – Are you using uMatrix? There’s a bug. To temporarily fix it you have to go to the Assets Tab, Uncheck a Hosts File, Save Changes, then check that same Host File, Save Changes.

      There will be a uMatrix update soon to fix it.

      1. Gabriel said on April 5, 2020 at 10:21 pm
        Reply

        Yup. That was the issue Rick!
        Thanks so much!

      2. Rick A. said on April 6, 2020 at 2:47 pm
        Reply

        @Gabriel – No problem.

  9. John said on April 5, 2020 at 12:09 am
    Reply

    Is this what the update to Firefox for Android (the stable version using Fennec and Firefox ESR as a base while they work towards getting Fenix ready to replace it) this morning was all about?

    When I upgraded, there were no release notes for it on the official Mozilla website.

  10. Celebrate said on April 5, 2020 at 2:57 pm
    Reply

    Sorry for the off-topic, but 24 hours and no Iron Heart or Yuliya comments!!!!!

    1. Iron Heart said on April 6, 2020 at 9:59 am
      Reply

      @Celebrate

      I thought that you would miss me. But rest assured, the next Mozillian breach of privacy is just around the corner – it’s just that not every single update happens to be one.

      PS: Your apparent inability to deal with differing opinions is pretty sad to look at.

      1. ShintoPlasm said on April 6, 2020 at 4:37 pm
        Reply

        @Iron Heart: I’m personally on the fence regarding both Brave and Firefox, but am genuinely curious – what do you think of Edge Chromium? As evil as Chrome? Better? Worse?

      2. Iron Heart said on April 7, 2020 at 8:13 am
        Reply

        @ShintoPlasm

        MS Edge is as evil or worse than Chrome. It sends a “unique hardware identifier” to MS which “persists across installations”, something which not even Chrome does, in addition to having the same privacy issues of Chrome, this was covered here:

        https://www.ghacks.net/2020/02/25/study-finds-brave-to-be-the-most-private-browser/

        If you ask me, the only browsers worth using, in terms of privacy, are:

        – Ungoogled Chromium (probably the best on desktop)
        – Bromite (probably the best on mobile)
        – Brave (desktop and mobile)
        – Pale Moon
        – Basilisk
        – Waterfox (got bought by an ad company, so might take a turn for the worse, it’s good so far)
        – Firefox (heavily configured)

        Iridium and IceCat are good in terms of privacy as well, but don’t get updated often, leaving you exposed to security issues, so I don’t recommend them.

        Don’t even bother with:

        – Chrome
        – MS Edge
        – Opera
        – Internet Explorer
        – Vivaldi (partially closed source, unique ID)
        – Yandex
        – Firefox (as configured out of the box)

        —-

        If you want to bother with Firefox, then the gHacks-user.js is a a resource you should check out. Implement all or most of its changes depending on your personal preferences, and Firefox will be fairly or even very private. The default configuration is just bad and gets worse as far as I can see. Brave has good out of the box privacy settings (still, go into its settings menu to check out if you are satisfied with its settings), better than Firefox in any case.

        Some extensions which I consider necessary in any browser are:

        – uBlock Origin, or Nano Adblocker (also in Brave, for custom element blocking in general and because Brave’s adblocker doesn’t block first party ads)

        – Nano Defender (hides the adblocker from websites that would otherwise complain about it)

        – Decentraleyes

        – HTTPS Everywhere (except in Brave, as Brave has that built-in already)

        – Cookie AutoDelete

        Privacy Badger is made redundant by uBlock Origin, uMatrix is mostly made redundant if you run uBlock Origin in medium settings. Hope this info is helpful to you.

  11. Anonymous said on April 5, 2020 at 4:45 pm
    Reply

    It is a security update. No “”feature”” was added.

  12. Lorissa said on April 5, 2020 at 11:42 pm
    Reply

    After updating I have to login to every site that requires this. My login info is saved and available, but I cannot login automatically as before. When will I ever learn that if it’s working, don’t mess with it.

  13. EP said on April 6, 2020 at 7:47 pm
    Reply

    FF 74.0.1 is almost a pointless update as FF 75.0 will be due out tomorrow April 7

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.