Security Experts:

Mozilla Fixes 17 Vulnerabilities in Firefox 36

A total of 17 security holes have been addressed by Mozilla with the release of Firefox 36. The latest version of the Web browser also includes support for the HTTP/2 protocol.

While the number of fixed vulnerabilities is higher than usual, only four of the flaws have been rated critical.

One of the critical issues is a buffer overflow in the libstagefright library (CVE-2015-0829). The bug, reported by a security researcher who uses the online moniker Pantrombka, is caused by invalid MP4 files during video playback. The issue can lead to a potentially exploitable crash, Mozilla said.

Another critical vulnerability that leads to a potentially exploitable crash was discovered and reported by Paul Bandha. The researcher identified a use-after-free bug (CVE-2015-0831) when running specific Web content with IndexedDB to create an index.

The remaining critical flaws are memory safety bugs (CVE-2015-0835, CVE-2015-0836) discovered by Mozilla developers and members of the Mozilla community.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in an advisory.

The high-impact vulnerabilities fixed in Firefox 36 have been described as reading of local files through manipulation of form autocomplete, a buffer overflow during MP3 playback, a buffer overflow during CSS restyling, a double-free issue when using non-default memory allocators with a zero-length XHR, an out-of-bounds read and write while rendering SVG content, and a flaw that made it possible for malicious DLL files to execute with elevated privileges.

The advisory describes the medium-impact security holes as a Caja Compiler JavaScript sandbox bypass, crash using DrawTarget in Cairo graphics library, and malicious WebGL content crash when writing strings. Researchers also discovered that an appended period to hostnames can bypass HPKP and HSTS protections, UI Tour whitelisted websites in the background tab can spoof foreground tabs, and that local files or privileged URLs in pages can be opened in new tabs.

Firefox 36 introduces support for the recently finalized Hypertext Transfer Protocol 2 (HTTP/2), the successor of HTTP. Mozilla explained in the release notes that HTTP/2 “enables a faster, more scalable, and more responsive web.”

The latest version of the application also brings syncing for pinned tiles, and a locale for the Uzbek language.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.