Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Firefox 41 Patches Critical Vulnerabilities

A total of 30 vulnerabilities, including many rated as having critical and high impact, have been patched by Mozilla on Tuesday with the release of Firefox 41.

A total of 30 vulnerabilities, including many rated as having critical and high impact, have been patched by Mozilla on Tuesday with the release of Firefox 41.

The latest version of the popular web browser addresses two critical memory safety errors affecting the ANGLE graphics library (CVE-2015-7179 and CVE-2015-7178). The issues, reported by security researcher Ronald Crane, can lead to a potentially exploitable crash, Mozilla said.

Other critical issues fixed in Firefox are a use-after-free bug triggered when using a shared worker with IndexedDB (CVE-2015-4510), and a use-after-free that can occur when manipulating HTML media content (CVE-2015-4509). Both vulnerabilities can lead to a potentially exploitable crash.

Memory safety bugs identified by Mozilla developers and members of the community have also been rated as having critical severity. Some of the flaws can be exploited to execute arbitrary code.

Ronald Crane has also been credited for reporting eight high severity vulnerabilities identified through code inspection. Mozilla has pointed out that while not all of these security holes have a clear mechanism for exploitation via web content, it’s possible that a trigger mechanism exists.

The list of high severity issues also includes two flaws related to the handling of cross-origin resource sharing (CORS) “preflight” requests, a buffer overflow that occurs when decoding WebM video, an immutable property enforcement bypass, and an arbitrary file manipulation issue that can be exploited by a local attacker through the Mozilla updater. The file manipulation vulnerability only affects the Windows version of Firefox.

Mozilla revealed earlier this month that an attacker had access to a privileged account on the company’s Bugzilla bug tracker since at least September 2014 after stealing a legitimate user’s credentials. The intruder is believed to have accessed the details of 185 non-public bugs before the breach was discovered.

While most of the exposed issues were either not security related or were already fixed by the time they were accessed by the attacker, a total of ten vulnerabilities might have been leveraged for malicious purposes. One of the Firefox flaws was exploited in early August to steal sensitive information from the visitors of a Russian news site.

Advertisement. Scroll to continue reading.

Ensuring that the bugs reported privately via Bugzilla remain private is very important to prevent vulnerabilities from being exploited before they are patched. However, researchers have occasionally found Bugzilla security holes that expose potentially sensitive information. Last week, Mozilla reported patching a flaw that allowed attackers to register accounts with apparently privileged email addresses.

Vulnerabilities in Bugzilla could expose the details of a large number of weaknesses considering that numerous software projects rely on the platform to track bugs.

Related: Firefox 40 Patches Vulnerabilities, Expands Malware Protection

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.