Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Fixes 17 Vulnerabilities in Firefox 36

A total of 17 security holes have been addressed by Mozilla with the release of Firefox 36. The latest version of the Web browser also includes support for the HTTP/2 protocol.

While the number of fixed vulnerabilities is higher than usual, only four of the flaws have been rated critical.

A total of 17 security holes have been addressed by Mozilla with the release of Firefox 36. The latest version of the Web browser also includes support for the HTTP/2 protocol.

While the number of fixed vulnerabilities is higher than usual, only four of the flaws have been rated critical.

One of the critical issues is a buffer overflow in the libstagefright library (CVE-2015-0829). The bug, reported by a security researcher who uses the online moniker Pantrombka, is caused by invalid MP4 files during video playback. The issue can lead to a potentially exploitable crash, Mozilla said.

Another critical vulnerability that leads to a potentially exploitable crash was discovered and reported by Paul Bandha. The researcher identified a use-after-free bug (CVE-2015-0831) when running specific Web content with IndexedDB to create an index.

The remaining critical flaws are memory safety bugs (CVE-2015-0835, CVE-2015-0836) discovered by Mozilla developers and members of the Mozilla community.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in an advisory.

The high-impact vulnerabilities fixed in Firefox 36 have been described as reading of local files through manipulation of form autocomplete, a buffer overflow during MP3 playback, a buffer overflow during CSS restyling, a double-free issue when using non-default memory allocators with a zero-length XHR, an out-of-bounds read and write while rendering SVG content, and a flaw that made it possible for malicious DLL files to execute with elevated privileges.

The advisory describes the medium-impact security holes as a Caja Compiler JavaScript sandbox bypass, crash using DrawTarget in Cairo graphics library, and malicious WebGL content crash when writing strings. Researchers also discovered that an appended period to hostnames can bypass HPKP and HSTS protections, UI Tour whitelisted websites in the background tab can spoof foreground tabs, and that local files or privileged URLs in pages can be opened in new tabs.

Advertisement. Scroll to continue reading.

Firefox 36 introduces support for the recently finalized Hypertext Transfer Protocol 2 (HTTP/2), the successor of HTTP. Mozilla explained in the release notes that HTTP/2 “enables a faster, more scalable, and more responsive web.”

The latest version of the application also brings syncing for pinned tiles, and a locale for the Uzbek language.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.