Mozilla plans to distribute an update to Firefox's stable channel today that brings the version to Firefox 59.0.1 on the stable channel. Firefox ESR is updated to version 52.7.2.to address the issue as well.

The release comes three days after the release of Firefox 59.0 to the Stable channel.

Update: The release is available and the security advisory page describes the issue as "Out of bounds memory write while processing Vorbis audio data".

While we do know that Firefox 59.0.1 includes security fixes, we don't know the nature of them yet. Mozilla has yet to publish the release notes for Firefox 59.0.1 which will be released here.

Firefox users need to wait a bit longer before Mozilla releases the update. The browser will pick it up through its automatic updating mechanism if it has not been disabled or modified.

Users can run a check for updates with a click on Menu > Help > About Firefox. Firefox should pick up the new version if it is available to download and install it on the computer system.

The release is already on Mozilla's FTP server; download sites have picked it up already and are distributing it. Firefox users need to know, however, that it happened in the past that last minute issues or changes resulted in the release of another build.

Generally speaking, it is not recommended to install unreleased stable builds from Mozilla's FTP server.

While we don't know yet what the security release fixes, only possible explanation is that it addresses issues discovered during the Pwn2Own 2018 hacking content.

Firefox was targeted by Richard Zhu who managed to take full control over Firefox by using an out-of-bounds write in the browser followed by an Integer overflow in the Windows kernel.

All vulnerabilities used or discovered during the event are passed on to the companies that create or maintain the products.

Mozilla would have to have prior knowledge of the issues used to exploit the browser to release a patch on the same day.



The security advisory page has not been updated yet. The release notes may very well only inform users that security vulnerabilities have been patched.