This week, on the 19th, Mozilla released a major update for its browser. A couple of days later, the new version reached the official repositories and today, two days later, the company has released Firefox 66.0.1, a version that comes to correct two critical security flaws that were found in the Pwn2Own hacking contest, where they are dedicated to finding and exploiting these types of flaws, but for our good.
Firefox 66.0.1 is Available for Windows, Mac and Linux, but it is not yet available as a snap package or in the official repositories. Considering how long it took for v66 to arrive, we can think that v66.0.1 will be available next Monday. This is WHY snap packages or other similar packages such as Flatpak are so important: although the Snappy Store does not appear yet, the snap package receives updates via Push, that is, the same program receives them as soon as it is opened.
Firefox 66.0.1 is coming soon to the official repositories
The bugs that this version fixes They are CVE-2019-9810 and CVE-2019-9813, both found by Richard Zhu, Amat Cama, and Niklas Baumstark through Trend Micro's Zero Day Initiative. The first of the two describes a buffer overload problem and a limit check failure absent in Firefox 66 due to incorrect alias information in the IonMonkey JIT compiler for the Array.prototype.slice method.
On the other hand, the CVE-2019-9813 is about a "typing confusion" problem in the IonMonkey JIT itself, but this time in code. This bug could allow a malicious user to read and write arbitrary memory, which was (and is still possible in v66) possible due to mishandling of__proto__mutations.
Mozilla encourages all users to update as much as possible. As we have mentioned previously, Windows and macOS users will be able to do so from the warning that Firefox shows when an update is available thanks to the fact that Push updates have long existed on those systems. Linux users can download the new version and perform manual installation, but it is not recommended. Those who are using the snap package will be able to update now, while those of us who use the APT version will have to wait a couple of days. Let's wait then.
