October 21, 2014

Mozilla fixes 5 critical security vulnerabilities in FireFox

(LiveHacking.Com) – Mozilla has released Firefox 14 and in doing so it has patched five critical security vulnerabilities and added support for HTTPS when searching Google.

The first critical bug fixed was a problem with Javascript: URLS. Firefox’s Javascript engine allows add-ons to execute scripts  in a sandbox. In some cases, Javascript: URLs are executed without sufficient context which can allow those scripts to escape from the sandbox and execute arbitrary code.

The second critical vulnerability was with the JSDependentString::undepend function. The string conversion results in memory corruption where data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash.

Mozilla developer Bobby Holley found the third vulnerability. He discovered that the same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. An exploit of the vulnerability would mean that untrusted content would have access to the XBL that implements browser functionality.

The fourth critical vulnerability is comprised of  four memory corruption issues:  two use-after-free problems, one out-of-bounds read bug, and a bad cast. All four of these issues are potentially exploitable, however there are no known exploits at the moment but it is presumed that with enough effort at least one of these could be exploited to run arbitrary code.

The fifth and final critical patches are again for memory corruption issues. Mozilla developers identified and fixed several memory safety bugs that showed evidence of memory corruption under certain circumstances. With effort, it is presumed that these could allow remote attackers to cause a denial of service or possibly execute arbitrary code.

Alongside these Critical fixes, Mozilla also fixed several other security vulnerabilities:

On the new features front, Firefox 14 now automatically encrypts (via HTTPS) all searches passed to Google’s search engine. The now by-default secure connection between the browser and Google’s search site encrypts the data sent to the search engine to keep it from being monitored especially when using public or shared WiFi networks.

Mozilla also released new versions of Thunderbird and SeaMonkey. Users should review the advisories  for Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any updates.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks