Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Firefox 50 Patches 27 Vulnerabilities

Mozilla this week released Firefox 50 in the stable channel to patch 27 vulnerabilities and to provide users with improved Download Protection.

Mozilla this week released Firefox 50 in the stable channel to patch 27 vulnerabilities and to provide users with improved Download Protection.

Three of the resolved issues in the popular Web browser were Critical flaws, 12 were considered High risk, 10 were rated Moderate severity, and two were Low risk issues. In addition to resolving all of them, Mozilla packed Firefox 50 with other security improvements as well.

One of the most important vulnerabilities patched in this Firefox release is CVE-2016-5296, a Heap-buffer-overflow WRITE in Cairo when processing SVG content. The bug is caused by compiler optimization, and could result in a potentially exploitable crash.

The other two Critical issues fixed in Firefox 50 were CVE-2016-5289 and CVE-2016-5290 (the latter was resolved in both Firefox 50 and Firefox ESR 45.5), namely a series of memory safety bugs discovered by Mozilla developers and community members. Some of these vulnerabilities showed evidence of memory corruption, presumably allowing a determined attacker to exploit them to run arbitrary code.

The High severity bugs resolved in the browser include a potentially exploitable crash during URL parsing, Mozilla Updater issues resulting in writing to arbitrary file or in choosing an arbitrary target working directory for output files, an error in argument length checking in JavaScript, and an issue with add-ons updates failing to perform ID verifications.

Additionally, it resolves an integer overflow leading to a buffer overflow in nsScriptLoadHandler, WebExtensions using access to the mozAddonManager API for elevated privileges, a heap-use-after-free in nsRefreshDriver, 64-bit NPAPI sandbox not being enabled on fresh profile, and canvas filters allowing feDisplacementMaps to be applied to cross-origin images, which allows for timing attacks on them. A location bar spoofing using fullscreen on Firefox for Android was also addressed.

Moreover, the new browser release adds Download Protection for a large number of executable file types on Windows, Mac and Linux, thus improving the overall security of its users. The enhancement comes several months after Mozilla added potentially unwanted software and uncommon downloads to the browser’s security feature.

Powered by the Google Safe Browsing API, Download Protection is periodically improved to keep up with the latest enhancements Google has made to its security service. Safe Browsing, which is used in Chrome as well, offers protection from both malicious websites and nefarious files.

Advertisement. Scroll to continue reading.

The updated browser release also brings protection against MIME confusion attacks, a security feature that Mozilla announced back in August. Moving forward, Firefox should be able to protect users from attacks where attackers hide malicious code in the form of other file types (such as images).

Related: Microsoft Edge Tops Browser Protection Tests

Related: Firefox 49 Patches Critical, High Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.