Mozilla sent Firefox Version 36.0 to the release channel, with Firefox ESR updated to 31.5. The update includes eight (8) security updates, of which three (3) are identified as critical, two (2) high, two (2) moderate and one (1) low.
A security feature finally incorporated in version 36.0 is full HTTP/2 support. Additional information this change is available in the Mozilla Security Blog, Phase 2: Phasing out Certificates with 1024-bit RSA Keys | Mozilla Security Blog (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/).
Additional information regarding the security fixes and other changes made in this update are available in my blog post here (http://securitygarden.blogspot.com/2015/02/mozilla-firefox-version-360-released.html).
To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."
Keep in mind Mozilla's Hello (https://www.mozilla.org/en-US/privacy/firefox-hello/) chat feature phones home metrics (your personal information) to Mozilla and other undisclosed parties. Inquire via asking how to disable this feature if you do not want to mistakenly use it and allow Firefox to collect more metrics than it already does.
As I remarked elsewhere - Beware of strange men bearing gifts.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv330%2Fsiljaline%2Fuser%2520bars%2FNOD32UserToolbar.gif&hash=8f68ec96ac8c7349de4ae0e5fafcde9d479f1f54)
Alert Alert !! Firefox 36.0 is requesting a Firewall exception (http://windows.microsoft.com/en-ca/windows/risks-allowing-programs-through-firewall#1TC=windows-7) I've alerted Mozilla via Twitter and await feedback. For now I am not using the Browser.
I received the firewall exception alert on two systems, but not on three others. Not exactly sure what the difference was.
After I saw your report about the Windows Firewall, siljaline, I launched FF, checked a couple of links on Bing and didn't get an alert. I also wonder what the difference is.
I've seen reports of this behaviour for ~12 hours now, just updated FF here and, on restart, it flashed up a 2nd tab with Hello? and a dropdown from the Hello? icon that I'd dragged away from the icon bar before forcing the update - and I got the firewall message - I denied it.
Checking the Advanced *inbound* settings for the firewall, the only Blocked lines are 2 from FF, 1 for Public UDP over all ports, the other for Public TCP over all ports.
Seriously, can Mozilla be trusted anymore, changing my setup (from no Hello? icon to waving it in my face) and expecting full inbound access - too much.
I followed the link that siljaline provided in the FF 35 update thread and disabled Hello.
Quote from: siljaline on February 20, 2015, 09:56:55 PM
How do I disable hello ? Note this is a Mozilla Forum suggestion as best answer and should not be construed as officially sanctioned by Mozilla but it gets the job done as Hello is a privacy concern.
https://support.mozilla.org/en-US/questions/1043588
Glad I'm sticking with Pale Moon!
QuoteGlad I'm sticking with Pale Moon!
Me too!
I do have FF 31 ESR installed on three of the four computers as another "choice".
On the computer that updated to 36, I'll have to see if hello returns. I did block it in v35.
I've reverted to FF 35.01 as I don't want any outbound or inbound traffic through the Firewall. I'll take a slightly less secure Browser than one that breaches my firewall. Watch out your Pale Moon users - you might see some mission creep soon. Turn off auto-majic updates across all platforms.
Quote from: siljaline on February 26, 2015, 07:07:03 AM
Watch out your Pale Moon users - you might see some mission creep soon.
Unlikely - but I'll find out before you do ;)
Quote from: satrow on February 26, 2015, 07:29:23 AM
Quote from: siljaline on February 26, 2015, 07:07:03 AM
Watch out your Pale Moon users - you might see some mission creep soon.
Unlikely - but I'll find out before you do ;)
Indeed you will, satrow!
Discussion at mozillazine.org regarding the firewall exception: Which service - fx36 and up - is responsible for SSDP? (http://forums.mozillazine.org/viewtopic.php?f=23&t=2911235)
Two bug reports that appear to apply: 1086278 – Windows/Mac firewall dialog pops up on startup (https://bugzilla.mozilla.org/show_bug.cgi?id=1086278) and 1111967 – Add an option to disable SSDP in Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=1111967)
As to the Firewall exception, I booted a second computer to the partition with Windows 7 (I don't have FF installed on the partition with Windows 10) and didn't get the firewall exception prompt there either.
I haven't gotten it on either 8.1 box :uhm:
FF 36 on Win 7 Pro 32 bit:
1. no firewall popup
2. Hello stayed off and I also checked about:config as a double-check.
Yesterday i updated to Firefox 36 on OEM Win 7 Ultimate 64 bit without windows firewall pop up.
Then changed Hello to false.
No problems here.
I am having issues with FF 36.0. Seems I get a scroll bar at the bottom of the reply box as if Word Wrap is disabled and I have no idea how to fix it. This only happens at Geek To Go and Bleeping Computer which is IP.board software. It does not happen here. So, could it be the forum software at those 2 sites? This is driving me nuts! Reverting back to FF 35.0.1 to see if that will fix it. :angry:
Checking your plugins (https://www.mozilla.org/en-US/plugincheck/) will also tell you you're running an older version of Firefox.
For those that do not wish to run the somewhat compromised new version as discussed here, may not want to obey this prompt.
How weird is this.....
I went surfing around the many forums I frequent and found that I experienced this scroll bar issue only on forums that used IP.Board software. Reverting back to FF 35.0.1 fixed the problem. No more scroll bar at the bottom of the reply boxes at any of the forums. :laughing:
Clearest info I've seen so far: Bug 1136772 - Suddenly Windows 7 firewall is blocking Firefox 36.0 on our network, Anyone else having this issue? (https://bugzilla.mozilla.org/show_bug.cgi?id=1136772)
Looks like the firewall exception is purely for the detection of Roku devices (which apparently should only be, or are only designed/intended for, Private networks).
The FF installer is set to open firewall exceptions on both Public and Private networks, causing blocking in W7 when it fails when it's on a Domain connected PC.
Those on Private networks should not see the firewall popup, those on Public (higher security) do.
There's also a request for someone from security to evaluate (I hope it's not the same person who gave it the go-ahead first time around!).
It's not clear whether the definition Private as used includes both Home and Work networks as defined by MS (http://windows.microsoft.com/en-us/windows/choosing-network-location#1TC=windows-7).
The bottom line looks like "Let's add lots of stuff and release it, if we get problems, we'll call in an expert while we read the manuals".
That does make sense why I didn't get the firewall exception prompt.
Quote from: satrow on February 27, 2015, 05:22:05 AM
The bottom line looks like "Let's add lots of stuff and release it, if we get problems, we'll call in an expert while we read the manuals".
That, unfortunately, sounds like a perfect definition of the path Firefox has been going since the move to the rapid release schedule.
Firefox 36.0.1 ( 5 March 2015 )
What's New ( https://www.mozilla.org/en-US/firefox/36.0.1/releasenotes/ )
◦Fixed
36.0.1 - Disable the usage of the ANY DNS query type (1093983)
◦Fixed
36.0.1 - Fixed a startup crash with EMET (1137050)
◦Fixed
36.0.1 - Hello may become inactive until restart (1137469)
◦Fixed
36.0.1 - Print preferences may not be preserved (1136855)
◦Fixed
36.0.1 - Hello contact tabs may not be visible (1137141)
◦Fixed
36.0.1 - Accept hostnames that include an underscore character ("_") (1136616)
◦Fixed
36.0.1 - WebGL may use significant memory with Canvas2d (1137251)
◦Fixed
36.0.1 - Option -remote has been restored (1080319)
◦Fixed
36.0.1 - Fix a top crash
The update to version 36.0.1 includes nine (9) security updates, of which four (4) are identified as high, four (4) moderate and one (1) low. The security updates included in this release are items 2015-19 through 2015-27 at Security Advisories for Firefox (https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/).
Firefox 36.0.1 still breaches your Firewall (http://windows.microsoft.com/en-ca/windows/risks-allowing-programs-through-firewall#1TC=windows-7). Angry Tweets to https://twitter.com/mozilla & https://twitter.com/firefox sent.
Can't figure out why some people get the Firewall exception and others don't.
Until the Firewall bug has been fixed, I've reverted to FF 35.0.1
Quote from: Corrine on March 06, 2015, 02:46:28 AMCan't figure out why some people get the Firewall exception and others don't.
I've asked over at MozillaZine (http://forums.mozillazine.org/viewtopic.php?f=38&t=2918897&sid=58031b07ed18388231b9cabfe2e38b10), we'll see what shakes out although they been likely told by Corporate to keep their mouths shut on the firewall pinhole as Hello (https://www.mozilla.org/en-US/firefox/hello/) seems to be a big seller.
I also can not figure out why 31 ESR does not get updated as often as v 36. Isn't it vulnerable to the 9 security flaws that have been patched? Maybe it doesn't have all the bells and whistles that add security holes to the browser.
Every time FF gets an update, I check the ESR running on three of the computers.
Quote from: siljaline on March 06, 2015, 05:18:11 PM
Quote from: Corrine on March 06, 2015, 02:46:28 AMCan't figure out why some people get the Firewall exception and others don't.
I've asked over at MozillaZine (http://forums.mozillazine.org/viewtopic.php?f=38&t=2918897&sid=58031b07ed18388231b9cabfe2e38b10), we'll see what shakes out although they been likely told by Corporate to keep their mouths shut on the firewall pinhole as Hello (https://www.mozilla.org/en-US/firefox/hello/) seems to be a big seller.
:thumbsup: on this:
QuoteIf Market share is something Mozilla wants to keep, John and his big crew need to be more transparent.
I followed the link you posted to the instructions to toggle loop.enabled to false to disable "Hello" and have not received the firewall exception prompt.
@ Corinne - I think you had mentioned further up this thread or on Facebook that some were getting the Firewall exception closed once having done the about:config (toggle loop) trick to close out Hello.
It works for some but from what I've seen with many users, this has not worked.
Thus, many are staying at Firefox version 35.0.1 My post at MozillaZine has gone unanswered as have Tweets to Mozilla and Firefox.
Mozilla have clearly shot themselves in the proverbial foot on this one in introducing a Browser based chat client that needs to speak through your Firewall. Until they've told us how to fix this - many we not go forward with the rapid releases of Mozilla Firefox.
This and other ongoing issues has put Firefox on the endangered species list (http://www.computerworld.com/article/2893514/an-incredibly-shrinking-firefox-faces-endangered-species-status.html)
I now use PaleMoon exclusively. When I go to a website, am I identified as using FF or PM?
If FF then perhaps the 10% or fewer of us identified as using FF are not really using it.
I also use PaleMoon exclusively. Two out of three sites recognize that I am using PaleMoon by the UserAgent:
https://www.whatismybrowser.com/
http://www.whatbrowser.org/
This site thinks I'm using FF 31.9: http://www.whatbrowseramiusing.co/
Many websites do not recognize the PaleMoon UserAgent. As a result, with version 25.0.2, Moonchild added a default setting under Options > Advanced > General to set Firefox Compatibility mode. (More info here: http://forum.palemoon.org/viewtopic.php?f=24&t=6004)
That's a bit of a tall order that sites don't fetch PaleMoon's user agent at every visit. Regardless of what Browser you use - any site will fetch your IP address regardless of how you have your Browser's setting at max unless you use Tor (http://en.wikipedia.org/wiki/Tor_(anonymity_network)) or something similar. There are legal ramifications there, too.
Just some thoughts.
Thanks for the links Corrine. I now have them bookmarked.
Comcast doesn't change IPs often. As a result, my IP has stayed the same since Nov. 19 2013. It doesn't bother me. I don't do things at sites that would get my IP banned.
An older post from me that I thought had gotten lost in the melé (screen cap) describes how I feel the current situation with Firefox is at current.
A repost for those who may still be puzzling over the firewall exception popup:
Quote from: satrow on February 27, 2015, 05:22:05 AMLooks like the firewall exception is purely for the detection of Roku devices (which apparently should only be, or are only designed/intended for, Private networks).
The FF installer is set to open firewall exceptions on both Public and Private networks, causing blocking in W7 when it fails when it's on a Domain connected PC.
Those on Private networks should not see the firewall popup, those on Public (higher security) do.
That's my interpretation of it, Hello seems to be coincidental as its inclusion predates the change in the firewall settings and it needs Internet, not local, access so they can grab all your 'obfuscated' info to sell.
I ran a Firefox Beta 37.0.b2 from the Mozilla FTP as an experiment as someone in the know, suggested version 37.0.1 will not contain the firewall exception.
Based on the Beta - this is not the case. As a result, I've rolled back to version 35.0.1 to avoid this yet again.
Wandering off-topic slightly - Google courts Firefox users with new dump-Yahoo appeal (https://twitter.com/gkeizer/status/577459005292843008)
https://www.mozilla.org/en-US/firefox/36.0.3/releasenotes/
Firefox 36.0.3
◦Fixed
36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
---------------
Remark: It appears that there was NOT a "36.0.2"... it was "skipped".
Firefox 36.0.4
https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/
•Fixed
36.0.4: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest
2015-28: Privilege escalation through SVG navigation https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
Remark: An incomplete version of this fix was shipped in Firefox 36.0.3