Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerabilities Patched With Release of Firefox 47

Mozilla addressed more than a dozen vulnerabilities in the Firefox web browser with the release of version 47 on Tuesday, including issues rated as having critical impact.

Mozilla addressed more than a dozen vulnerabilities in the Firefox web browser with the release of version 47 on Tuesday, including issues rated as having critical impact.

The critical vulnerabilities are described in two advisories and they have been assigned three CVE identifiers. One of the flaws, tracked as CVE-2016-2819, is a heap buffer overflow triggered when parsing HTML5 fragments. The security hole, reported by a researcher with the moniker “firehack,” can lead to a potentially exploitable crash when inserting an HTML fragment into a document.

Various memory safety bugs and crashes reported by Mozilla developers and members of the community have also been rated as having critical impact (CVE-2016-2815 and CVE-2016-2818).

Six of the vulnerabilities patched with the release of Firefox 47 have been rated “high impact.” One of them, also discovered by “Firehack,” is a use-after-free (CVE-2016-2821) that occurs when a DOM table element created in contenteditable mode is deleted.

Researcher sushi Anton Larsson discovered a pointer lock permission bypass issue (CVE-2016-2831) that can be exploited for persistent denial-of-service (DoS) attacks, and spoofing and clickjacking attacks against the browser’s user interface.

Another high severity flaw was reported by a Mozilla community member who uses the moniker “jomo.” He discovered that a use-after-free bug resulting in a potentially exploitable crash can be triggered when processing WebGL content (CVE-2016-2828).

The Windows version of Firefox is affected by a vulnerability related to the updater (CVE-2016-2826). An attacker could exploit this weakness to overwrite arbitrary files and even for privilege escalation if the targeted files are used by high-privileged Windows components.

Another high severity flaw that only affects the Windows version of Firefox is an out-of-bounds write (CVE-2016-2824) related to the ANGLE graphics library that is used for WebGL content. Exploiting this vulnerability could result in a crash.

Firefox 47 also patches four medium and two low severity issues, including memory safety bugs in Network Security Services (NSS), failure of the Content Security Policy (CSP) to block Java applets, information disclosure on disabled plugins, address bar spoofing, incorrect icons displayed when requesting permissions, and partial same-origin policy (SOP) violations.

Related: Critical, High Severity Flaws Patched in Firefox

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.