Firefox 115.0.2 fixes a security issue and several crashes
Mozilla has released the second Firefox 115 point release today. Firefox 115.0.2 and Firefox 115.0.2 ESR address a security issue in the web browser, several startup crashes and other non-security issues.
Firefox 115.0 and Firefox 115.0.1 were both released last week.
The latest version of Firefox is available via the web browser's automatic updating feature already. Selecting Menu > Help > About Firefox displays the current version of the browser. Opening the about page launches an automatic check for updates as well; the new version should be picked up by Firefox then.
Users may also download it directly from the official Mozilla Firefox website if they prefer to do so.
Firefox 115.0.2 and 115.0.2 ESR address a single security issue in the web browser. The security advisories page lists one security issue that addresses a use-after-free vulnerability in workers. The severity rating of the vulnerability is moderate, a fairly low rating. The overall rating of the update, however, is set to high. It is unclear whether this is an error on Mozilla's behalf or if some information has not been added to the security advisories yet.
The official release notes list several crashes, all of which affect Firefox on Windows systems. The first crash affects Firefox on Windows 7 systems only. Mozilla reveals that it is a crash related to the browser's DLL blocklist feature, but does not provide specifics.
Mozilla introduced capabilities recently that allow Firefox users to block third-party DLL injections in the browser.
The second crash fix addresses an issue that "some" Windows users experienced after Firefox blocked "instances of a malicious injected DLL". The bug report on Bugzilla lists Windows 10 as the affected operating system. Mozilla notes there that the crash is, likely, caused by malware that is installed on the user's device.
The release notes list three additional bugs, all non-security, that Mozilla addressed in Firefox 115.0.2:
- A bug with audio rendering on some sites has been addressed.
- A patternTransform translate bug using the wrong units has been addressed.
- Fixed a caret displaying bug in "some text editors on some websites".
Firefox users may want to install the update as soon as possible to protect the browser against potential attacks targeting the security vulnerability. Those affected by crashes may also want to patch early. Users who may have malware on their devices that has been causing the crash of Firefox need to scan their devices using up-to-date security software.
Windows Defender is installed on Windows 10 devices by default, but there are other options, including Bitdefender Antivirus Free.
@Martin Brinkmann
It is now 115.0.3 ESR version. But there is no release notes.
”Sorry, we can’t find that page. We’re all about a healthy internet but sometimes broken URLs happen”.
https://www.mozilla.org/en/firefox/115.0.3/releasenotes/
Thanks for the detailed answer, owl. I really appreciate it. I thought that was the case but wanted to ask.
https://www.mozilla.org/en-US/firefox/115.0.3esr/releasenotes/
115.0.3esr
Firefox ESR
July 18, 2023
Version 115.0.3esr, first offered to ESR channel users on July 18, 2023
Fixed
Fixed a startup crash for Windows users with Qihoo 360 Antivirus software installed (bug 1843977)
Thank you @owl for answer and also @Martin Brinkmann for article.
https://www.ghacks.net/2023/07/23/firefox-115-0-3-is-a-rare-esr-only-update-but-you-may-not-need-it/
By the way, this update is an “extremely rare case” that only applies to “users using Qihoo 360, a third-party antivirus software for Windows,” so it is irrelevant to most users (no need to update).
Here’s a question for ya. If say you use Windows 7 and use the Chameleon extension and have it set that you are using Win 10 Firefox then would FF know and hand out the 115ESR release or would it be fooled in thinking you were really using Win 10. Sorry if it sounds like a dumb question to those that are smart with this stuff. I kind of doubt it would be fooled, but I don’t know and I thought I’d asked.
@Agnetha,
> use Windows 7 and use the Chameleon extension and have it set that you are using Win 10 Firefox then would FF know and hand out the 115ESR release or would it be fooled in thinking you were really using Win 10.
The browser extension “Chameleon” can disguise the user agent etc. to the website, but it cannot disguise the Browser program code itself or the OS.
Firefox program update management system adopts “Rapid release”.
(Only Firefox ESR version adopts “Extended Support Release”.)
Since “updates are pushed” by the defined update schedule management, Firefox updates that are compatible with the OS will inevitably be applied.
In short, if your OS is Win7, it is destined to automatically switch to Firefox ESR.
Firefox update channel | support.mozilla.org
Currently offer two paths for Firefox updates: Rapid Release and Extended Support Release (ESR).
https://support.mozilla.org/en-US/kb/choosing-firefox-update-channel
Firefox Release Calendar
https://whattrainisitnow.com/calendar/
The Firefox release process | wiki.mozilla.org
https://wiki.mozilla.org/Release_Management/Release_Process
ESR Landing Process | wiki.mozilla.org
https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
For your reference: The browser extension “Chameleon by sereneblue” official stand on the issue is clear.
Excerpted and quoted below,
https://github.com/sereneblue/chameleon/issues/509#issuecomment-871325651
Ultimately you cannot hide the OS from JS (it is IMPOSSIBLE), or even from passive fingerprinting (TCP/IP characteristics) – but that doesn’t mean that sometimes you can just try and make life harder for the bastards
https://github.com/sereneblue/chameleon/issues/508#issuecomment-950246321
The problem then is that even with an entirely plausible and consistent forged profile, some entities like CloudFlare or Google are using analysis methods powerful enough to be able to detect not only that you are using a forged profile, but also how it is forged.
Mozilla just did a release 3 days ago to fix one solitary bug. This sort of herky-jerky, whack-a-mole release cycle is super annoying, and must drive the GNU/Linux distro maintainers nuts when they have to rebuild all their Firefox versions just three days apart.
Of course, Firefox’s main customer base is Windows, and Microsoft doesn’t give a crap, because they neither build nor validate nor warranty any of the software that most people use. Could you imagine Microsoft taking responsibility for a repo of over 60,000 packages like a lot of GNU/Linux distros do? That’s way too much work for them, it would never happen.
If you are dissatisfied with this, you should actively use the development version to report a problem.
*
@Andy Proough’s outrage is understandable.
However, since Firefox “115” is a milestone version (which has been extensively revised), there are many cases where “rare cases of bugs are discovered” immediately after the release.
This is due to a unique case on the user side, so it seems unavoidable because the development side often “doesn’t know until the report comes up”.
The “Firefox Release” version adopts Rapid Release.
If you are concerned about the hassle of milestone versions, Firefox ESR, which has adopted the “Extended Support Release”, is a good choice.
Firefox update channel | support.mozilla.org
Currently offer two paths for Firefox updates: Rapid Release and Extended Support Release (ESR).
https://support.mozilla.org/en-US/kb/choosing-firefox-update-channel
Firefox Release Calendar
https://whattrainisitnow.com/calendar/
The Firefox release process | wiki.mozilla.org
https://wiki.mozilla.org/Release_Management/Release_Process
ESR Landing Process | wiki.mozilla.org
https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
As you may be aware,
for existing users of ESR, “automatic updates to milestone versions will be suspended (blocked) for a certain period of time”.
This is because the premise is to complete the milestone version-specific “confirmation of compatibility (with the old version) and correction of initial defects”.
However, please note that automatic updates are only suspended (blocked) and manual updates are possible.
Unfortunately, the one solitary bug is related to the Firefox blocklisting kisfdpro64.dll. I don’t think anything GNU/Linux figures into this, though I stand to be corrected.
Kingsoft Security was very popular in the Chinese language universe (lots of people in there) but otherwise went defunct about 10 years ago.
Apparently there are enough users still using Kingsoft Security or had uninstalled it wherein that failed to unregister the library, par for the course. So, there could very have been an overwhelming number of users experiencing the crash needing the dot one fix.
I’m of the opinion a simple run of regsrv32 under admin against the dll would have resolved the issue.
But try and get that done on a global scale…
Oops. Forgot to mention your slam of Microsoft in this case is unjustified. They’re in business to make living, so it would be in their best interest to give a crap. MS has qualifications for software and hardware to be used by those in business to make a living using Windows. But, you know that.
Whether or not that meets anyone’s standards can choose something else. As everyone knows, for at least 20 years now, Linux will be replacing Windows.
An the bourgeois have Apple. :)
>”MS has qualifications for software and hardware to be used by those in business to make a living using Windows.”
They’ll never have a software repo. They’ll never build and maintain a universe of software and tell their users “this is safe – we stand by it”. They have their own handful of programs and then that’s it. They don’t build almost anything in the Microsoft Store. Anything you install on Windows outside of Office and Teams and Skype and Edge and an Xbox client and a very few things like that – you are just on your own.
>”They’re in business to make living, so it would be in their best interest to give a crap.”
No one ever demands that they give a crap, and just keep shoveling money in their direction. They’ll never lift a finger to give any customer assurance about the non-Microsoft software titles they run. Microsoft might say, “this meets our quality standards”. But they won’t build it and maintain a working version of it for their customers.