What's new

Mozilla Firefox Version 65.0 Released with Security Updates

Corrine

Administrator, Security Analyst
Staff member
Joined
Feb 22, 2012
Messages
9,302
Location
Upstate, NY
Mozilla sent Firefox Version 65.0 to the release channel today. Firefox ESR has been updated to Version 60.5.
The update included seven (7) security updates of which three (3) are critical, three (3) are high, and one (1) is rated low.

Release Notes
Security Updates
 

Corrine

Administrator, Security Analyst
Staff member
Joined
Feb 22, 2012
Messages
9,302
Location
Upstate, NY
For the time being, distribution of Firefox 65 has been stopped due to this bug related to certificate errors: 1523701 - SEC_ERROR_UNKNOWN_ISSUER since updating to Firefox 65. Users are getting the error, "Your Connection is not secure", further indicating that that there is an issue with the HTTP Strict Transport Security (HSTS) of the site. According to the referenced bug report it is caused by the web protection modules in antivirus software.
 

softwaremaniac

Moderator, BSOD Kernel Dump Expert, Windows Update Instructor
Staff member
Joined
Oct 9, 2014
Messages
18,386
Location
Croatia
Corrine said:
According to the referenced bug report it is caused by the web protection modules in antivirus software.
Well, if it's an AV vendor issue, should not they fix the issue on their end and not FF?
 

Corrine

Administrator, Security Analyst
Staff member
Joined
Feb 22, 2012
Messages
9,302
Location
Upstate, NY
According to the BC article, Mozilla Halts Firefox 65 Rollout Due to Insecure Certificate Errors,
In order for an antivirus software to scan an encrypted SSL connection for malicious content it needs to add its own certificate to Mozilla's certificate store in order to perform a MiTM (Man-in-the-Middle) attack.

Avast has told BleepingComputer that this hotfix is currently being rolled out and will disable HTTPS scanning for the Firefox process only. Furthermore, Lukáš Rypáček of Avast has stated that normal HTTP scanning in Firefox will continue to work as normal.
There is no indication on whether Kaspersky is taking any temporary action or waiting for Mozilla.
 

Corrine

Administrator, Security Analyst
Staff member
Joined
Feb 22, 2012
Messages
9,302
Location
Upstate, NY
Distribution of Firefox 65 has been resumed, per the updated bug report comment at 1523701 - SEC_ERROR_UNKNOWN_ISSUER since updating to Firefox 65

(In reply to Ryan VanderMeulen [:RyanVM] from comment #15)

Hi Lukas, our users updating to Firefox 65 with Avast & AVG installed have been encountering this error with regularity since we launched on Tuesday. We've temporarily halted all automatic updates on Windows to avoid further exacerbating the issue. Have you gotten reports on your end and if so, do you have any ideas what might be happening from your perspective?

Thanks!

Hi Ryan, Firefox HTTPS filtering will be completely disabled by the new virus engine update (eta 2 hours from now) in avast/avg products. We are working on the proper fix. Thnx, David
 
Top