The popular web browser released a major update on August 8, version 55, which — in addition to some nifty new features, like Virtual Reality support — includes a number of security fixes. Firefox 55 remediates three critical and 11 high-impact vulnerabilities, as well as seven moderate and six low-impact vulns.
Of the critical and high-impact vulnerabilities fixed, several of them would have allowed an attacker to crash the browser, execute arbitrary code, or even access sensitive information on a page the user was reading. A few days after the 55 release came its first minor update, 55.0.1, which includes a few additional bug fixes.
On August 8 also came the latest major update for Firefox Extended Support Release (ESR), version 52.3.0, which might be of interest to you if you manage and deploy Firefox in an organization. Firefox ESR 52.3.0 also mitigates the same security vulnerabilities as addressed in Firefox 55, all detailed in the MFSA 2017-18 security bulletin.
If you are running anything close to a recent version of Firefox, the browser should be set up to automatically update to the latest version as soon as the update is available — unless you’ve manually disabled this option, which we do not recommend!
As of the time of this writing, it appears that the automatic updates for Firefox haven’t been pushed out quite yet (so you might still be running 54.0.1), but version 55.0.1 is available for standalone download if you don’t want to wait. You can always check to see if you have the latest version by following the instructions on this help page from Mozilla.
Another step toward killing off Flash for good
One of the major changes in this release that’s not strictly a security update, but has big security implications, is a change in how Firefox runs the Adobe Flash plugin within the browser. Mozilla has a roadmap describing its phased plan for stopping plugins, including Flash, for good. Plugins, Mozilla writes, are an “obsolete technology”, and with the release of Firefox 46 last June (2016), all plugins aside from Adobe Flash became click-to-activate.
Since Flash is one of the most ubiquitous (and problematic) of plugins, Mozilla says it is working with other browser companies to help phase out support for Flash across the board.
With this release, Firefox now runs Flash click-to-activate and will only run on http or https URLs. Adobe Flash is and has been a major threat vector for years, and as you may have heard, is due to be killed off by Adobe in 2020; that said, in the intervening years, disabling the autoplay of Flash could certainly mitigate a number of attacks that use Flash to infiltrate a browser.
The Flash click-to-activate change is not universal and only is set to begin with release 55. According to the Firefox Plugins roadmap, this change will “be rolled out progressively during August and September 2017”. Once Adobe stops supporting Flash at the end of 2020, Firefox will as well — by that time, the browser will completely refuse to load the plugin no matter what.