Daily Archives: February 11, 2016

Mozilla Releases Firefox 44.0.2 and Firefox ESR 38.6.1

Earlier today Mozilla made available unscheduled security updates for Firefox and Firefox ESR (Extended Support Release) bringing them to versions 44.0.2 and 38.6.1 respectively. Firefox 44.0.2 addresses a critical severity CVE (defined). 2 other critical security issues (1 of which was assigned a CVE) were resolved by Firefox ESR 38.6.1.

These security issues were reported to Mozilla by 2 security researchers (Jason Pang of OneSignal and Holger Fuhrmannek) and the Cisco Talos Security Intelligence and Research Group.

The first issue affecting Firefox 44.0 and 44.0.1 involves the violation of the same-origin policy (defined) of the browser due to how the crossdomain.xml file is open to being forged which can lead to a service worker forging responses to network requests to the network requests made initially by plugins of the browser.

The first issue addressed by Firefox ESR 38.6.1 involves the bypassing of validation of internal instruction parameters within the Graphite 2 library of Firefox when special CNTXT_ITEM instructions are used. The other issues reported by the Cisco Talos group were also addressed but no further details were provided.

Further details of these updates (and the issues they address) are available here and here. If Firefox is installed on any computer that you use, please install the appropriate update as soon as possible. Details of how to install updates for Firefox are here.

Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.