It has been just a few days since the release of Firefox 124.0, but here is Firefox 124.0.1 already. Usually, when this happens, it is either a security update or a bug fix update that address major issues.
It is a security update in the case of Firefox 124.0.1. The official release notes include just two words: “Security fixes”. The issue affects desktop versions of the web browser. It is unclear if the Android version is also affected. There is no release notes page for Firefox 124.0.1 for Android at the time of writing.
The security advisory page lists two security issues that Mozilla addressed in the Firefox update. Both have a severity rating of critical, which is the highest severity rating available:
- CVE-2024-29943: Out-of-bounds access via Range Analysis bypass
- CVE-2024-29944: Privileged JavaScript Execution via Event Handlers
Both security issues were reported to Mozilla by Manfred Paul via Trend Micro’s Zero Day initiative.
The first security issue could allow an attacker to “perform an out-of-bounds read or write” on JavaScript objects by “fooling range-based bounds check elimination”.
The second issue allows an attacker to “inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process”.
Without going into too many details on the issues, they’d allow an attacker to execute JavaScript code or control JavaScript objects in the Firefox web browser.
Mozilla does not reveal if the issues are exploited in the wild. It is a good idea to update Firefox Stable installations as soon as possible to protect the browser from potential attacks targeting the vulnerabilities.
Updating Firefox
The security update is available already. While most Firefox installations will get updated automatically, cautious Firefox users and system administrators may want to speed up the installation of the update.
Here is how this is done:
- Open the Firefox web browser.
- Select Menu > Help > About Firefox.
- Firefox displays the current version. It should pick up the update at the same time. In other words, it is downloaded and installed automatically.
- A restart of the browser is required to complete the process.
Repeat the steps above and you should see Firefox 124.0.1 listed as the version on the about page.
Firefox is also available on the Mozilla website. Click here to open the download page and download the latest version to the local system.
When an unexpected upgrade is available chances are a user may miss them, especially if he hasn’t set his application to auto-update (such as myself).
Again, Martin, your reactivity is most appreciated.
We have upgraded Firefox 115.9.0 ESR to 115.9.1 ESR accordingly.
Firefox ESR 115.9.1 was also released
Second that! I like to mention that at the moment I like this new Chipp.in better than the good old Ghacks.net