Firefox 38.1.1 ESR/39.0.3 Security Update Released

On August 6, 2015 Mozilla released an emergency security update for Firefox 38 ESR and Firefox 39 with the Firefox 38.1.1 ESR and Firefox 39.0.3 releases. These releases were a result of MFSA 2015-78: Same origin violation and local file stealing via PDF reader.

From The Mozilla Security Blog:

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The next scheduled releases are Firefox 40 and Firefox 38.2.0 ESR on August 11, 2015.

Disable Extension Signing in Nightly and Developer Builds

Mozilla has allowed extension signing not to be enforced on the Nightly and Developer Edition (Aurora) builds for add-on developers. However, it is enabled by default though when you install or update to these builds. To turn off the extension signing follow these steps:

  1. In a new tab type: about:config in Firefox’s address bar and hit enter.
  2. Confirm you will be careful if a warning message is displayed.
  3. Search for xpinstall.signatures.required.
  4. Double-click on the preference name so that its value is set to false.
  5. Restart the browser to reactivate any disabled extensions

The release version of Firefox 41 (September 2015) will still have this option (or something similar) so users can still install/use unsigned/unverified extensions. However, starting with the release version of Firefox 42 (November 2015) unsigned/unverified extensions can not be installed/used.

Note: This does not apply to Firefox ESR until version 45 (March 2016). Also, this does not apply to Pale Moon or any other unbranded releases of Firefox.


Firefox 41/Chrome 45 and Netflix

What do the upcoming Firefox 41 (Windows 64-Bit) and Chrome 45 have in common? Neither will support Microsoft Silverlight. However, Netflix will continue to work on Chrome 45, because Netflix on Chrome use HTML5, not Silverlight. The same can not be said for Firefox though, where Netflix still uses Silverlight.

Up until Firefox 33 in October 2014, with the introduction of the Open H.264 Video Codec provided by Cisco Systems plugin Firefox did not support HTML5. But, Netflix (being a paid service) uses DRM which was not supported until Firefox 38 in May 2015 when Mozilla added the Primetime Content Decryption Module by Adobe plugin. Looking at Netflix support for HTML5 and Silverlight they list every other browser (including Microsoft Edge) for HTML5 support, but not Firefox.

Again, it is important to remember that the 32-Bit version of Firefox for Windows will continue to support the Silverlight plugin. For those wanting to use HTML5 with Netflix will need to use a browser other than Firefox (regardless of operating system or 32-bit/64-bit). It is Netflix that needs to make HTML5 available for Firefox users, something I have a feeling they may not do anytime soon.

Firefox 40 and Windows 10 Default Browser

One of the first things I wanted to check out was how Mozilla had worked around Microsoft disabling the default browser API. I downloaded and installed Firefox 40 Beta on the freshly upgraded Windows 10 machine and upon first run I was asked if I wanted to make Firefox my default browser (Chrome was currently default and then I had switched it to Edge later for testing purposes).


Firefox detected it was NOT the default browser

Once you click the Use Firefox as my default browser button the Windows 10 Settings > System > Default Apps screen opens which is a lot more friendlier than the Windows 10 default behavior of giving the user this unfriendly message:


Windows 10 Default Apps Screen

You will need to scroll down a bit to the ‘Web Browser’ section and click the + to set the default app.


Windows 10 Default Apps: Web Browser

Firefox’s (Improved) Version of ‘Noisy Tabs’ Coming Fx 42

So back in January 2014, I reported Why Firefox won’t have a ‘Noisy Tabs’ feature. Earlier today over in mozillaZine on the Firefox Builds board PadaV4 commented:

Oh god i just noticed nightly has little loudspeaker icons for tabs which have sound running! And they can be clicked and silenced! Im so excited! I just spent like 5 minutes opening videos in new tabs and muting/unmuting them! Best feature ever!!!

Naturally I had to check this out for myself. Launched and updated Nightly (Firefox 42) then opened YouTube and tried to play a video…nada. Odd, I couldn’t get YouTube to work. Then I noticed the familiar overlay that Flashblock uses. Hmm that’s odd, could’ve sworn I had YouTube whitelisted (turns out I did). So then I clicked on the Flashblock button and the video played, but no speaker on the tab. Since this is not the first time lately I’ve had issues with Flashblock on a site that has been whitelisted, I decided I would disable the add-on and see if that makes a difference. After restarting Nightly went back to YouTube and played a video and this time I had the speaker icon.


Audio Playing In Tab (unmuted)

Now, this is where Firefox’s version is improved. If you click on the speaker on the tab, you can mute (or unmute) the audio without even having to switch to the tab. Chrome only has an indicator that there is audio playing in the tab, but no mechanism to mute (or unmute) the audio playing in said tab.


Audio Playing in Tab (muted)

Firefox 42 is scheduled for release on November 3, 2015. It appears this feature was just landed in today’s (or tonight’s) nightly builds. This feature was requested in Bug 486262 on March 31, 2009.

Mozilla Blasts Microsoft over Choice and Control in Windows 10

Mozilla is not happy about Microsoft’s MSFT 54.29 +0.36 0.67% changes in Windows 10 when it comes to the user’s default browser. The biggest complaint is users who upgrade to Windows 10 will have their default browser changed to Microsoft’s new Edge Browser. Further, it is no longer as simple as going into Firefox to set it as the default browser.

Sometimes we see great progress, where consumer products respect individuals and their choices. However, with the launch of Windows 10 we are deeply disappointed to see Microsoft take such a dramatic step backwards. It is bewildering to see, after almost 15 years of progress bolstered by significant government intervention, that with Windows 10 user choice has now been all but removed. The upgrade process now appears to be purposefully designed to throw away the choices its customers have made about the Internet experience they want, and replace it with the Internet experience Microsoft wants them to have.

Mozilla Future Releases illustrates the process Firefox users must take to make Firefox their default browser again.

Chris Beard, CEO of Mozilla has written An Open Letter to Microsoft’s CEO pleading to Microsoft “Don’t Roll Back the Clock on Choice and Control”.

via The Mozilla Blog

Adjust Tabs Font Size

If you find the text on the tabs is too small, you can change the size of the font by adding the below lines to your userChrome.css file located in your profile folder:

    font-size: 20px !important;

Note: You don’t have to use 20px, you can set the value smaller or larger depending on your needs.

A Look at Extension Signing In Firefox 40

Finally got around to creating (actually cloning) new profiles today and installing the Nightly 42, Developer’s Edition (Aurora) 41 and Beta 40 of Firefox. As I am sure you know by now, Mozilla is starting Extension Signing with Firefox 40. So, what does this mean in the upcoming Firefox 40 (ETA August 11th)? In Firefox 40, it is just warnings…warnings in the add-on manager and a warning when you attempt to install and unsigned (or unverified) add-on. Below is a screenshot of my add-ons manager in Firefox 40. First thing I noticed was the slight change in the UI with the darker side bar and the addition of ‘Experiments’ menu item (might be used in the future for Idea Town).

Add-ons manager in Firefox 40.

Add-ons manager in Firefox 40.

As you can see I have a couple add-ons that can not “be verified”. Clicking the More information link takes you to the Mozilla support page about add-on signing. Something interesting here is Forecastfox shows as unverified even though it is hosted on AMO. Turns out Forecastfox is no longer compatible with Firefox so it was not automatically signed. For those who are looking for a replacement Oleksandr has created Forecastfox (fix version).

So, what happens when you try to install an unsigned (or unverified) add-on? In Firefox 40 you will get this warning:

Warning when attempting to install an unsigned extension.

Warning when attempting to install an unsigned add-on.

Starting in Firefox 41 (ETA September 22nd) the installation of an unsigned/unverified add-on will be blocked. However, users can disable this (I am assuming via about:config). Firefox 41 is currently in the Developer’s Edition channel which like the Nightly channel will still allow installation after the warning (as I found out earlier today). So, I will need to wait until Firefox 41 moves into the Beta channel (mid August) to see what happens with that version and how you can force installation. Firefox 42 (ETA November 3rd) will not allow an unsigned/unverified add-on to be installed, period. Again, will need to wait for that version to reach Beta in late September to see how that works.

Win64 Firefox NOT Coming with Firefox 40

Javaun Moradi announced earlier in bug 1181014 (this was the bug about how to ‘market’ the Win64 builds on

Folks, we’ve decided not to release win64 builds in Fx40. We have many improvements coming in 41 — sandboxing and NPAPI whitelisting, and possibly some other fixes — and it makes sense to hold. I as much as anyone want to see 64 launch, but given the enthusiasm, it’s better to wait for a product that has safety and polish 41 will bring.

He also commented in bug 1180792 (enabling Win64 builds on release channel):

Our original plan was a quiet soft-launch in 40, and to make
more noise in 41 when we have added safety.

There are two big reasons I can think of why Mozilla has made this decision regarding Win64 Firefox release:

  1. There had been some concerns expressed that pushing out the Win64 Firefox on August 11th (Firefox 40) before it was really ready would make it seem Mozilla was just releasing it because everyone else was pushing out a 64-Bit Windows browser because of Windows 10.
  2. There won’t be as much user shock/surprise/anger when they discover that Java and SilverLight suddenly don’t work in the Win64 Firefox 41 as there would have been had they updated from the Win64 Firefox 40.