back to article Awoogah! Awoogah! Firefox fans urged to update and patch zero-day hole exploited in the wild by miscreants

Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack. The Firefox 67.0.3 and ESR 60.7.1 builds include a patch for CVE-2019-11707. The vulnerability is a type confusion bug in the way Firefox handles JavaScript objects in Array.pop. By manipulating the …

  1. Anonymous Coward
    Anonymous Coward

    You were already protected from this bug (and many more), if you have been using NoScript all along.

    Running arbitrary Active Content from remote servers such as JavaScript, Flash, and lots of other malware, is EVIL.

    1. Anonymous Coward
      Anonymous Coward

      Re NoScript

      No Script breaks websites. It’s not a suitable solution for 99% of people.

      1. Tigra 07 Silver badge

        Re: Re NoScript

        True, but you can disable it for a tab with two clicks.

        1. Robert Carnegie Silver badge

          UPDATE AGAIN

          I think this is the highest I can place this: You now "need" version 67.0.4 or ESR 60.7.2.

          Because,

          https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

          Although, this one is only an Orange problem, the one before it was Red.

      2. Craig 2

        Re: Re NoScript

        Endless scripts are not a solution for 99% of websites..

      3. MrMerrymaker Bronze badge

        Re: Re NoScript

        Being in full control of your data isn't for 99% of people either, but that doesn't mean the 1% are wrong.

        1. Eddy Ito
          Trollface

          Re: Re NoScript

          Does that mean we are the 1%?

      4. Anonymous Coward
        Anonymous Coward

        Re: Re NoScript

        "No Script breaks websites.."

        Indeed it does (on a few).

        And those are the sites I avoid completely.

        1. billdehaan

          Re: Re NoScript

          If you're running a comment engine, like, oh, el Reg, or if you're an e-commerce site, it makes complete sense that your site needs Javascript or other in-browser code in order to function, since it's responding to dynamic user input.

          If you're a newspaper, you don't need Javascript to render a printed page of text with a few graphics.

          It's like this nonsense of saying users need to run anti-virus on their TV sets. Why in god's name do I need, or want, a TV that can run programs in the first place? I can happily plug programmable devices into my set via HDMI, and I can happily choose not to, as well.

          Disabling Javascript in the browser is just the equivalent of using a dumb TV. You lose an incredible amount of garbage, but very little actual functionality.

          1. thosrtanner

            Re: Re NoScript

            You might use it to make the page behave more prettily and *respond* dynamically to the users input - for intsance, telling the user they'd given invalid input before they pressed submit and had to wait to get a response from the server (and contrary to what some sites seem to believe, using javascript doesn't obviate the need for your server to validate the users input anyway).

            But *need* it? No - you don't need it. Not even amazon needs it. Enter name, press search. You might not get the menu of items similar to what you'd typed in so far, but frankly, that's so rarely useful for me, I could live without it (and probably it would make the site faster as it's not sending messages to the server every keystroke...)

      5. N2 Silver badge

        Re: Re NoScript

        No Script breaks some shitty websites. But it’s a solution for 99% of people.

        FTFY

  2. Claverhouse Silver badge
    Linux

    Just make sure you're running the latest version

    Yeah, right: No.

    1. ds6

      Re: Just make sure you're running the latest version

      Gonna need some more context for that one, hotshot.

    2. Dave K Silver badge

      Re: Just make sure you're running the latest version

      As this flaw shows, running an outdated version isn't sensible. If you dont like the later FF builds then use a fork such as Pale Moon or Waterfox.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just make sure you're running the latest version

        But these forks will take much longer to get fixed, if at all.

        1. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            flippin' edit window... OK my bad.

            WF got patched 4 hours ago. Bug 1544386 shows up in Commits and I was only looking at Repositories.

            Mozilla's commit went in all the way back on May 8th. that's why I didn't see it already before failing at search.

        2. Dave K Silver badge

          Re: Just make sure you're running the latest version

          Pale Moon's developer has commented on their forum to state that Pale Moon is not affected by this vulnerability.

    3. adam 40

      Re: Just make sure you're running the latest version

      "Fortunately, because Mozilla automatically updates Firefox with new zero day exploits and bugs, both Linux, Mac, and Windows PC users can install new vulnerabilities with a simple browser restart."

      There - fixed that for you....

  3. msknight

    By manipulating the object in the array, malicious JavaScript on a webpage could get the ability to remotely execute code without any user interaction.

    This is a bad thing.

    I do love the understatement of Reg articles :-) ... keep it coming guys, I've got a pile of replacement keyboards to go with my morning coffee.

    1. Dave K Silver badge

      Of course if it was a current BBC article, they'd also need to find someone to also explain how it could be a good thing so the article has "balance"....

      1. This post has been deleted by a moderator

        1. ExpatZ

          Re: re. BBC

          Now now, don't be so hard on yourself.

          You are just a run of the mill idiot.

        2. Rich 11 Silver badge

          Re: re. BBC

          I'm only a miserable, middle-aged, white, racist

          I'm always happy to take people at their word, at least until they demonstrate they're not worthy of trust, you miserable middle-aged white racist.

          1. Anonymous Coward
            Anonymous Coward

            I'd lump myself in with that, but you left out cis/binary/native-English-speaking MALE. Yep, everything is my fault.

            1. ds6
              Coffee/keyboard

              oh no, I just spilled coffee all over myself! I have more Privilege Points (PP) than you, so you get to pay my hospital bill.

              I love justice!!

          2. Robert Carnegie Silver badge

            Re: re. BBC

            As the educational song says: "Everyone's a little bit racist, sometimes."

            "Sometimes" - that word is very important! ;-)

      2. Cavehomme_

        BBC

        Not only that, they’d have the statement at the bottom saying: “If you have been affected by any of the issues in this article, contact.....”

        1. bryces666

          Re: BBC

          I've never seen caring balanced views when I search my porn for BBC.. ...

          Oh wait, your British, of course it has another meaning, just not the first to come to mind everytime I see that acronym, lol.

      3. Naselus

        "For comment, we've brought in a noted IT security expert with a PhD in Compsci and 25 years of experience in the field to argue in favour, and a plumber called Tom who can't turn on his laptop without help from his grandchildren to argue against. We're going to give them both equal airtime and treat their opinions as equally valid on the topic."

        1. NerryTutkins

          Actually I think they'd wheel out Nigel Lawson. He's their go-to guy when they need a talking head to provide some political balance against the shameless propaganda of facts.

      4. Anonymous Coward
        Anonymous Coward

        While your BBC joke was true it's, fortunately, less so now

        Just a warning to steer clear from old assumptions. Find out for yourself again once in a while. Lest you yourself become cliché

    2. illiad

      hey does anyone know of a way to install it in a domain active directory??

      1. MrKrotos

        Google "firefox enterprise msi", you can push that via GPO to deploy :)

  4. Anonymous Coward
    Anonymous Coward

    Here's an idea - why doesn't Mozilla offer security fixes separately from new versions of the browser? I'm getting tired of having to install a new version because some critical bug has been discovered, only to find a whole new set of pointless features (like Pocket) that I'm never going to use have been added. Or worse, you find that some feature you actually use has been "deprecated" because the developers decided they can't be arsed to support it any more (live bookmarks, anyone?)

    Or here's another idea - why don't developers actually ask the users what they want instead of just rolling out new features then complaining when the users express dissatisfaction with their precious ideas?

    Sorry, rant over.....

    1. MrKrotos

      "getting tired of having to install a new version", firefox auto updates! Just check the Help/About and it will say if its up-to-date or not.

      1. MrMerrymaker Bronze badge

        I must have disabled the auto-update as I use a few quality of life addons that always seem to break when I upgrade

        Once it was Adblock....

        So I get a nag box instead, though to be fair it nags once per session.

        The complaint here, I believe, isn't that it updates a lot - it does, but that's vigilance for you - it is that extra "features" seem to sneak their way into what nominally should be a security patch.

    2. Jon 37

      > why doesn't Mozilla offer security fixes separately from new versions of the browser

      They do. They offer an ESR version that only gets security and bug fixes, and a normal version that gets new features and fixes.

      Note that providing security fixes to N different versions of the browser takes about N times as much engineering effort as just supporting a single version. So Mozilla chose N = 2 - you get the ESR version and the normal version. Providing security fixes for the last 20 versions of the browser would be far too much effort for not enough benefit.

  5. Anonymous Coward
    Anonymous Coward

    Again?

    Firefox seems awfully patchy lately

    I'm not stupid, I'll do it, though my NoScript use is hopefully a decent prophylactic

    I do like settling on one version though. For longer anyway.

  6. Nick Kew Bronze badge
  7. Eddy Ito

    Good thing NoScript is working. Our wonderful admins have disabled auto-updates and push updates only once a month. Fortunately NoScript was back with the last monthly update as it fixed the security cert flaw.

  8. mark l 2 Silver badge

    I am on Linux mint so get my updates from them not from Mozilla so there will have to wait for them to push out a patched version or not as there is no new Firefox build showing in update manager and I am still on 67.0.2?

    1. Robert Carnegie Silver badge

      Workarounds

      https://linuxhint.com/getting_latest_version_firefox_linux_mint/ suggests getting the Snap version, or, and I think you won't want to do this, an "unofficial" "flatpack" download which comes as "developer" or "nightly" edition, which I think means respectively "prominent new bugs" and "extraordinary new bugs".

      Having said that, I am looking (in Microsoft Internet Explorer) at the release-channel appearance of version 67.0.4 for some reason, at https://www.mozilla.org/en-US/firefox/67.0.4/releasenotes/

      Yup, https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ says that we now need, or anyway want, version 67.0.4, or ESR 60.7.2.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020