Mozilla has released Firefox 30 which fixes a total of seven vulnerabilities affecting the Web browser. Google has also updated its Chrome Web Browser to address four security holes.
According to an advisory published by Mozilla on Tuesday, five of the seven vulnerabilities fixed in Firefox 30 are critical and could be exploited by an attacker to execute arbitrary code or install software with no user interaction beyond normal Web browsing.
The critical flaws in Firefox include a buffer overflow in the Web Audio Speex resampler, found by Holger Fuhrmannek; a use-after-free vulnerability with the SMIL Animation Controller when interacting with and rendering improperly formed web content, discovered by security researcher “Nils”; a use-after-free in Event Listener Manager reported by Tyson Smith and Jesse Schwartzentruber from BlackBerry; multiple use-after-free and out of bounds issues identified by Abhishek Arya (Inferno) of the Google Chrome Security Team; and miscellaneous memory safety hazards detected by Mozilla’s own developers.
Security researcher Looben Yang identified a high-severity buffer overflow issue in the Gamepad API, and Jordi Chancel found a clickjacking vulnerability through cursor invisibility after Flash interaction. The bug reported by Chancel only affects the OS X version of the Firefox web browser, and the issue found by Yang was only introduced in Firefox 29.
As far as Chrome is concerned, Google has updated the stable channel for Windows, Mac and Linux to version 35.0.1916.153. A total of four vulnerabilities have been fixed with the latest release, with many of them detected using the Address Sanitizer tool, Google engineer Karen Grünberg explained in an advisory on Tuesday.
Collin Payne reported a high-impact use-after-free vulnerability in the fileSystem API (CVE-2014-3154) for which Google rewarded him with $1,000. James March, Daniel Sommermann and Alan Frindell of Facebook also were rewarded with $1,000 for a high-impact out-of-bounds read issue in SPDY (CVE-2014-3155).
Atte Kettunen, a frequent reporter of Chrome vulnerabilities, has been given $500 for a medium-impact buffer overflow in clipboard (CVE-2014-3156). A heap overflow flaw in media (CVE-2014-3157) has been identified by members of the Chrome team.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
