(LiveHacking.Com) – Mozilla has released Firefox 14 and in doing so it has patched five critical security vulnerabilities and added support for HTTPS when searching Google.
The second critical vulnerability was with the JSDependentString::undepend function. The string conversion results in memory corruption where data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.
Mozilla developer Bobby Holley found the third vulnerability. He discovered that the same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. An exploit of the vulnerability would mean that untrusted content would have access to the XBL that implements browser functionality.
The fourth critical vulnerability is comprised of four memory corruption issues: two use-after-free problems, one out-of-bounds read bug, and a bad cast. All four of these issues are potentially exploitable, however there are no known exploits at the moment but it is presumed that with enough effort at least one of these could be exploited to run arbitrary code.
The fifth and final critical patches are again for memory corruption issues. Mozilla developers identified and fixed several memory safety bugs that showed evidence of memory corruption under certain circumstances. With effort, it is presumed that these could allow remote attackers to cause a denial of service or possibly execute arbitrary code.
Alongside these Critical fixes, Mozilla also fixed several other security vulnerabilities:
- MFSA 2012-55 feed: URLs with an innerURI inherit security context of page
- MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
- MFSA 2012-51 X-Frame-Options header ignored when duplicated
- MFSA 2012-50 Out of bounds read in QCMS
- MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
- MFSA 2012-46 XSS through data: URLs
- MFSA 2012-45 Spoofing issue with location
- MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop
On the new features front, Firefox 14 now automatically encrypts (via HTTPS) all searches passed to Google’s search engine. The now by-default secure connection between the browser and Google’s search site encrypts the data sent to the search engine to keep it from being monitored especially when using public or shared WiFi networks.
Mozilla also released new versions of Thunderbird and SeaMonkey. Users should review the advisories for Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any updates.