Firefox 37.0.1 Released

Mozilla released an emergency update to Firefox 37 on April 3, 2015 with Firefox 37.0.1. This update did address start-up crashes due to graphics hardware and third party software. However, there were two security fixes to address a couple recently released Mozilla Foundation Security Advisories (MFSA):

  • MFSA 2015-44 Critical: Certificate verification bypass through the HTTP/2 Alt-Svc header [Firefox 37 Desktop]
  • MFSA 2015-43 High: Loading privileged content through Reader mode [Firefox 37 Android/Firefox 38 Beta (Desktop)]

The now disabled HTTP/2 Alt-Svc header aka Opportunistic Encryption For Firefox was introduced in the Firefox 37 from earlier in the week. There has been several security issues/breaches lately with browser SSL Certificates possibly being used to orchestrate Man-in-the-Middle (MITM) attacks. Most recently this included Mozilla revoking China Internet Network Information Center (CNNIC) Intermediate certificates. The actions (or lack there of) of this certificate authority has prompted Mozilla to Distrust New CNNIC Certificates.

Users may be prompted to update to the newest release (37.0.1) of Firefox or can do so manually within Firefox by going to Help > About Firefox and following the update prompts. Users may also manually download and install the newest Firefox update the getfirefox.com site. The next scheduled update for Firefox is May 12th, 2015 with Firefox 38.