Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Firefox 40 Patches Vulnerabilities, Expands Malware Protection

Mozilla announced on Tuesday that Firefox 40 is available for download. The latest version of the popular web browser adds support for Windows 10, patches several vulnerabilities, and expands malware protection.

Mozilla announced on Tuesday that Firefox 40 is available for download. The latest version of the popular web browser adds support for Windows 10, patches several vulnerabilities, and expands malware protection.

Firefox 40 fixes roughly 20 vulnerabilities, some of which have been rated critical. The critical issues, which can result in exploitable crashes, have been detailed by Mozilla in four security advisories.

The list of critical vulnerabilities includes buffer overflows in the Libvpx library when decoding malformed WebM video files (CVE-2015-4485, CVE-2015-4486), integer overflows in the libstagefright library (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493), a use-after-free in the way audio is handled through the Web Audio API during MediaStream playback (CVE-2015-4477), and a couple of memory safety bugs found by Mozilla developers and members of the community (CVE-2015-4473, CVE-2015-4474).

A use-after-free related to the XMLHttpRequest JavaScript object, a heap overflow in the gdk-pixbuf library (only affects Linux running Gnome), an out-of-bounds write in the updater, an arbitrary file overwriting issue through the Mozilla Maintenance Service, an out-of-bounds read triggered during malformed MP3 playback, and three vulnerabilities reported through code inspection have been rated “high severity.”

Over the past months, Google has made several improvements to Safe Browsing, a service designed to alert users if they are about to download malicious software or visit a potentially dangerous website. Mozilla also uses Safe Browsing to keep its customers safe and starting with Firefox 40 users will be warned when they visit pages known to contain deceptive software that can make unwanted changes to the computer.

Users who don’t like the warnings or don’t want to send any data to Google can disable the features provided by Safe Browsing.

Another security announcement made recently by Mozilla is related to the signing of add-ons and extensions.

Advertisement. Scroll to continue reading.

“Mozilla will begin requiring all extensions to be signed in order for them to be installable in Release and Beta versions of Firefox. Signing will be done through (AMO) and will be mandatory for all extensions, regardless of where they are hosted,” Mozilla said.

This measure will be implemented in three stages. Starting with Firefox 40, users are warned about signatures, but the policy is not enforced. In Firefox 41, scheduled to be released on September 22, the web browser will have a preference that allows signature enforcement to be disabled. In Firefox 42, currently set for release on November 3, this option will be removed and unsigned extensions will no longer be allowed.

On August 6, Mozilla released an update for Firefox 39 to address a zero-day vulnerability that had been exploited in the wild to inject malware that could search for and upload potentially sensitive local files.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.