November 28, 2014

Mozilla 13 Fixes Critical Security Vulnerabilities and Improves New Tab Page

(LiveHacking.Com) – The Mozilla foundation has released Mozilla 13 with some new features including redesigned Home and New Tab pages, the use of the SPDY by default and a series of performance improvements. The new release also fixes some Critical security vulnerabilities including two issues with the Mozilla updater and the Mozilla updater service which were introduced in Firefox 12 the Windows versions of the browser.

According to Mozilla Foundation Security Advisory 2012-35 Security researcher James Forshaw of Context Information Security discovered that Mozilla’s updater is able to load a local DLL file in a privileged context. He also discovered that the updater service is able to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. For a hacker to exploit these vulnerabilities they would need local file system access.

The other critical fixes were all memory related:

  • MFSA 2012-40 – Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover two heap buffer overflow bugs and a use-after-free problem. Affected components include Mozilla’s Unicode conversion functions, the nsFrameList and the nsHTMLReflowState. All three of these issues are potentially exploitable.
  • MFSA 2012-38 – Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution.
  • MFSA 2012-34 – Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be turned into a full exploit that allows arbitrary code execution.

SPDY

Along with the various UI changes, Firefox now supports SPDY by default to make browsing more secure. The SPDY, which is designed as a successor to HTTP, tried to reduces the amount of time it takes for web pages to load. The result is that when using services like Google and Twitter, users should notice faster page load times.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks