Firefox 82.0.3, Firefox 78.4.1 and Thunderbird 78.4.2 patch a critical security issue - gHacks Tech News

ADVERTISEMENT

Firefox 82.0.3, Firefox 78.4.1 and Thunderbird 78.4.2 patch a critical security issue

Mozilla has released new stable versions of the Firefox web browser and the team behind the Thunderbird email client has released a new stable version to address a critical security vulnerability.

Firefox 82.0.3 and Firefox 78.4.1 ESR are already available. Firefox users may select Menu > Help > About Firefox to run a manual check for updates to download and install the new version automatically.

mozilla firefox 82.0.3

Thunderbird users may select Help > About Thunderbird in the client to get the new version downloaded and installed. Both menus display the current version that is installed on the system, which can be used to verify that the update is installed.

thunderbird 78.4.2

The Firefox 82.0.3 release notes and the Thunderbird 78.4.2 release notes list a security fix as the only change in the release. Both link to the official Mozilla Security website.

Mozilla Foundation Security Advisory 2020-49 reveals that the security issue that is fixed in the new versions of the browser and email client has received the highest severity rating critical.

It was revealed during the Tianfu Cup 2020 International Cybersecurity Contest held on November 7 and November 8, 2020. The contest is China's version of the Pwn2Own contest featuring security speeches, demonstrations, and a wide assortment of targets to be hacked.

Among the targets were all major browsers, Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox, as well as other popular applications such as Adobe PDF Reader, VMWare Workstation, Ubuntu, Apple's iPhone 11 Pro with iOS 14, Samsung's Galaxy S20, Windows 10 version 2004, and other systems.

The successful exploit of a vulnerability in Firefox brought the issue to Mozilla's attention. Thunderbird and Firefox share a codebase, and that is why Thunderbird is also affected by the vulnerability.

Mozilla's public description of the vulnerability:

CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition.

Mozilla reacted quickly and has produced a patch to fix the issue in all current versions of the Firefox web browser and Thunderbird.

Firefox and Thunderbird users should consider updating their browsers and email clients to the new version as quickly as possible.

The next stable version of Firefox will be released on November 17, 2020.

Summary
Firefox 82.0.3, Firefox 78.4.1 and Thunderbird 78.4.2 patch a critical security issue
Article Name
Firefox 82.0.3, Firefox 78.4.1 and Thunderbird 78.4.2 patch a critical security issue
Description
Mozilla has released new stable versions of the Firefox web browser and the team behind the Thunderbird email client has released a new stable version to address a critical security vulnerability.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. John C. said on November 10, 2020 at 7:32 am
    Reply

    Nobody updating to a newer version of Thunderbird? Come up with a “critical security issue” in older versions, then loudly, explicitly announce what it is and how to exploit it. Anymore, I trust Mozilla about as much as I trust Google.

    1. Rnk said on November 10, 2020 at 5:11 pm
      Reply

      How dare them be transparent and fix the security issue quickly.

  2. Steve said on November 10, 2020 at 8:25 am
    Reply

    @Martin Brinkmann: Thanks for the article. On a side note, since you added the “related content” section, the last portion of the article (i.e. closing words, summary and comments) do not get styled as before when page scripts are blocked.

  3. ShintoPlasm said on November 10, 2020 at 11:32 am
    Reply

    Kudos to Mozilla for responding so quickly to the Tianfu finding. Credit where due.

  4. TelV said on November 10, 2020 at 1:07 pm
    Reply

    @ Martin,

    There seems to be a problem with the display. Sentences are being cutoff without being hyphenated. Here’s a pix: https://i.postimg.cc/Pqq2Pf7V/display-words-split-in-sentences.png

    It does it even if the option for sites to use their own fonts is enabled and if addons are disabled. I’m using Waterfox Classic, but I tried it using Firefox and that behaves the same way.

    1. Martin Brinkmann said on November 10, 2020 at 2:52 pm
      Reply

      Hi, I cannot reproduce this in Firefox nor in any other browser but have forwarded this to have it checked out. If you could provide exact versions of the browsers and other information, e.g. extensions or settings that may interfere, that would help as well.

      1. broken words said on November 11, 2020 at 8:51 pm
        Reply

        Also happens with Basilisk.

        Switching off styling statements in the Inspector view indicates the culprit is “word-break: break-all;”.

        There’s also IMHO excessive hyphenation due to “-moz-hyphens: auto; hyphens: auto;”, but at least this doesn’t run counter to normal typesetting conventions.

    2. Martin Brinkmann said on November 10, 2020 at 2:53 pm
      Reply

      Can you please try and load the site directly bypassing the cache? Hold down Ctrl before you click on the reload button.

    3. Cigologic said on November 14, 2020 at 4:00 am
      Reply

      > TelV: “Sentences are being cutoff without being hyphenated”

      Same here, as seen in Firefox. It affects the whole page, including the comments section. The embedded inline images are also badly misaligned, eg. displayed towards the right edge of the page & away from the text area. A hard-refresh of the webpage has no effect. (In any case, my browser is set to clear its cache every few minutes & also upon exit.)

      Then since around 2-3 days ago, if JavaScript is enabled, every single Ghacks webpage upon being loaded will instantly freeze the browser & max out the CPU usage, thus requiring a hard kill of the browser process. Previously (& this has been happening for the past 2-3 years), it was just the Ghacks homepage that hangs the browser in the same manner. It’s not possible to see what the misbehaving script is, since the browser becomes totally frozen.

      > broken words: “Also happens with Basilisk.”

      Incidentally, I switched to Basilisk (using Firefox v52.9 ESR code) because of the aforementioned issues, & Ghacks’ display looks quite okay (ie. no truncated words due to unexpected carriage-returns, no display misalignments) — although the text-column width seems unnecessarily narrow (spanning just the size of my palm, with lots of wasted huge blank space on the left & right), as if catering to hand-sized mobile displays.

      My Basilisk & Firefox configs & addons are identical. The only addon that I removed from Basilisk is Fireshot (a compatible version), because its JavaScript-based “advanced features” (eg. image preview & edit function) for some reason aren’t working in Basilisk, & the addon ended up in permanent “Lite Mode”.

  5. TelV said on November 10, 2020 at 1:15 pm
    Reply

    I guess this means I’ll have to upgrade to the 7 series even though it’s going to mean my 6 series addons will stop working. :(

  6. Steve Hardy said on November 10, 2020 at 1:22 pm
    Reply

    Are Beta versions of Firefox and Thunderbird vulnerable to the same security issue? When do those versions get updated with a security fix – with the next Beta release?

    1. Martin Brinkmann said on November 10, 2020 at 2:49 pm
      Reply

      Beta, Dev and Nightly versions do get updated earlier usually.

  7. computer said no said on November 10, 2020 at 6:40 pm
    Reply

    Has there been an improvement in memory usage.?.

  8. md.rakib said on November 11, 2020 at 10:51 am
    Reply

    it’s so match take

  9. someone said on November 11, 2020 at 11:51 am
    Reply

    Does anyone know what does that vulnerability description mean? practically, how would it be exploited?

  10. SpywareFan said on November 17, 2020 at 9:52 am
    Reply

    Meanwhile they broke policy templates… Again!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.