Firefox 40 Patches Vulnerabilities, Expands Malware Protection

Mozilla announced on Tuesday that Firefox 40 is available for download. The latest version of the popular web browser adds support for Windows 10, patches several vulnerabilities, and expands malware protection.

Firefox 40 fixes roughly 20 vulnerabilities, some of which have been rated critical. The critical issues, which can result in exploitable crashes, have been detailed by Mozilla in four security advisories.

The list of critical vulnerabilities includes buffer overflows in the Libvpx library when decoding malformed WebM video files (CVE-2015-4485, CVE-2015-4486), integer overflows in the libstagefright library (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493), a use-after-free in the way audio is handled through the Web Audio API during MediaStream playback (CVE-2015-4477), and a couple of memory safety bugs found by Mozilla developers and members of the community (CVE-2015-4473, CVE-2015-4474).

A use-after-free related to the XMLHttpRequest JavaScript object, a heap overflow in the gdk-pixbuf library (only affects Linux running Gnome), an out-of-bounds write in the updater, an arbitrary file overwriting issue through the Mozilla Maintenance Service, an out-of-bounds read triggered during malformed MP3 playback, and three vulnerabilities reported through code inspection have been rated “high severity.”

Over the past months, Google has made several improvements to Safe Browsing, a service designed to alert users if they are about to download malicious software or visit a potentially dangerous website. Mozilla also uses Safe Browsing to keep its customers safe and starting with Firefox 40 users will be warned when they visit pages known to contain deceptive software that can make unwanted changes to the computer.

Users who don’t like the warnings or don’t want to send any data to Google can disable the features provided by Safe Browsing.

Another security announcement made recently by Mozilla is related to the signing of add-ons and extensions.

“Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through addons.mozilla.org (AMO) and will be mandatory for all extensions, regardless of where they are hosted,” Mozilla said.

This measure will be implemented in three stages. Starting with Firefox 40, users are warned about signatures, but the policy is not enforced. In Firefox 41, scheduled to be released on September 22, the web browser will have a preference that allows signature enforcement to be disabled. In Firefox 42, currently set for release on November 3, this option will be removed and unsigned extensions will no longer be allowed.

On August 6, Mozilla released an update for Firefox 39 to address a zero-day vulnerability that had been exploited in the wild to inject malware that could search for and upload potentially sensitive local files.