You were already protected from this bug (and many more), if you have been using NoScript all along.
Running arbitrary Active Content from remote servers such as JavaScript, Flash, and lots of other malware, is EVIL.
Mozilla has released an emergency critical update for Firefox to squash a zero-day vulnerability that is under active attack. The Firefox 67.0.3 and ESR 60.7.1 builds include a patch for CVE-2019-11707. The vulnerability is a type confusion bug in the way Firefox handles JavaScript objects in Array.pop. By manipulating the …
If you're running a comment engine, like, oh, el Reg, or if you're an e-commerce site, it makes complete sense that your site needs Javascript or other in-browser code in order to function, since it's responding to dynamic user input.
If you're a newspaper, you don't need Javascript to render a printed page of text with a few graphics.
It's like this nonsense of saying users need to run anti-virus on their TV sets. Why in god's name do I need, or want, a TV that can run programs in the first place? I can happily plug programmable devices into my set via HDMI, and I can happily choose not to, as well.
Disabling Javascript in the browser is just the equivalent of using a dumb TV. You lose an incredible amount of garbage, but very little actual functionality.
You might use it to make the page behave more prettily and *respond* dynamically to the users input - for intsance, telling the user they'd given invalid input before they pressed submit and had to wait to get a response from the server (and contrary to what some sites seem to believe, using javascript doesn't obviate the need for your server to validate the users input anyway).
But *need* it? No - you don't need it. Not even amazon needs it. Enter name, press search. You might not get the menu of items similar to what you'd typed in so far, but frankly, that's so rarely useful for me, I could live without it (and probably it would make the site faster as it's not sending messages to the server every keystroke...)
This post has been deleted by its author
By manipulating the object in the array, malicious JavaScript on a webpage could get the ability to remotely execute code without any user interaction.
This is a bad thing.
I do love the understatement of Reg articles :-) ... keep it coming guys, I've got a pile of replacement keyboards to go with my morning coffee.
"For comment, we've brought in a noted IT security expert with a PhD in Compsci and 25 years of experience in the field to argue in favour, and a plumber called Tom who can't turn on his laptop without help from his grandchildren to argue against. We're going to give them both equal airtime and treat their opinions as equally valid on the topic."
Here's an idea - why doesn't Mozilla offer security fixes separately from new versions of the browser? I'm getting tired of having to install a new version because some critical bug has been discovered, only to find a whole new set of pointless features (like Pocket) that I'm never going to use have been added. Or worse, you find that some feature you actually use has been "deprecated" because the developers decided they can't be arsed to support it any more (live bookmarks, anyone?)
Or here's another idea - why don't developers actually ask the users what they want instead of just rolling out new features then complaining when the users express dissatisfaction with their precious ideas?
Sorry, rant over.....
I must have disabled the auto-update as I use a few quality of life addons that always seem to break when I upgrade
Once it was Adblock....
So I get a nag box instead, though to be fair it nags once per session.
The complaint here, I believe, isn't that it updates a lot - it does, but that's vigilance for you - it is that extra "features" seem to sneak their way into what nominally should be a security patch.
> why doesn't Mozilla offer security fixes separately from new versions of the browser
They do. They offer an ESR version that only gets security and bug fixes, and a normal version that gets new features and fixes.
Note that providing security fixes to N different versions of the browser takes about N times as much engineering effort as just supporting a single version. So Mozilla chose N = 2 - you get the ESR version and the normal version. Providing security fixes for the last 20 versions of the browser would be far too much effort for not enough benefit.
Good thing NoScript is working. Our wonderful admins have disabled auto-updates and push updates only once a month. Fortunately NoScript was back with the last monthly update as it fixed the security cert flaw.
https://linuxhint.com/getting_latest_version_firefox_linux_mint/ suggests getting the Snap version, or, and I think you won't want to do this, an "unofficial" "flatpack" download which comes as "developer" or "nightly" edition, which I think means respectively "prominent new bugs" and "extraordinary new bugs".
Having said that, I am looking (in Microsoft Internet Explorer) at the release-channel appearance of version 67.0.4 for some reason, at https://www.mozilla.org/en-US/firefox/67.0.4/releasenotes/
Yup, https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ says that we now need, or anyway want, version 67.0.4, or ESR 60.7.2.
.deb
packages