Tech

Mozilla Firefox 44 update fixes critical vulnerabilities

The browser's latest version removes flaws which could prompt problems including memory tampering and address bar spoofing.

Written by Charlie Osborne, Contributing Writer Jan. 27, 2016 at 11:58 p.m. PT

Mozilla has patched a host of critical vulnerabilities in the latest Firefox 44 browser update and Firefox Extended Release 38.6.

In an advisory posted Tuesday, the tech giant said the latest incarnation of the Firefox browser, version 44, includes fixes for a total of 12 security bugs.

Three of the flaws are deemed critical, two are high-risk, six have a "moderate" security risk and one is considered a minor issue.

The first critical flaw relates to unsafe memory manipulation through code inspection. Made up of three separate bugs, the first problem is caused by a memory safety issue in the ANGLE graphics library, a wild pointer flaw which occurs through the handling of .zip files, and an integer overflow during metadata parsing in Mozilla's use of the libstagefright library.

"The first two issues do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them," Mozilla says. "The libstagefright issue could potentially be triggered by a malicious MP4 format video file, allowing for arbitrary code execution."

The second critical issue impacting the browser and extended release is a buffer overflow issue in WebGL. A researcher used Mozilla's Address Sanitizer -- a tool designed to find memory errors -- and discovered the buffer overflow write error, which could potentially result in an exploitable crash.

Security

Lastly, the third critical issue is a collection of memory safety bugs submitted by Mozilla developers and external researchers. Some of these bugs could be exploited to run arbitrary code if memory corruption took place.

"In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts," Mozilla says.

In addition to patching these severe issues, Mozilla has also patched problems relating to secure connections, out of memory crashes and delays after click events. Two other flaws of note which have been patched are errors allowing for address bar spoofing, and flaws which weaken cryptographic protocols.