Mozilla's Firefox 38 patches 13 security flaws

Mozilla has fixed 13 security problems in Firefox 38, including five vulnerabilities deemed critical.
Written by Charlie Osborne, Contributing Writer

Mozilla has patched 13 security problems in the latest version of Firefox, including five critical vulnerabilities.

Released on Tuesday, the latest version of the Firefox browser fixes five critical issues, as well as five high-risk bugs, two

According to Mozilla's security bulletin, security researcher Ucha Gobejishvili discovered the first critical flaw generated through buffer overflow while parsing compressed XML content. An error in how buffer space is created and modified when handling XML data caused the problem, which could result in a potentially exploitable crash.

Firefox and Thunderbird were vulnerable, although in general this flaw cannot be exploited through email in Thunderbird product as scripting is disabled.

The second critical flaw relates to a use-after-free error during text processing when vertical text is enabled, and also leads to a potentially exploitable crash.

The third critical vulnerability is an out-of-bounds read and write error in asm.js validation, leading to a potentially exploitable crash and the reading of random memory which may contain sensitive user data.

The fourth vulnerability was discovered within buffer overflow during the rendering of SVG format graphics when combined with particular CSS properties on a web page, resulting in a potentially exploitable crash.

The fifth critical problem relates to various memory safety bugs in the browser engine used in Firefox and other Mozilla products, some of which showed signs of memory corruption and the potential for some to be exploited to run arbitrary code.

Other high-risk security vulnerabilities patched in Firefox 38 include: a privilege escalation through IPC channel messages problem, MP4 parsing buffer flow and out-of-bounds read issues -- potentially leading to exploitable crashes -- and a vulnerability within the Firefox webchannel which could allow untrusted pages to intercept communication meant for trusted sources.

Mozilla's latest Firefox update also gives users a choice whether or not to include DRM. The latest release includes support for Adobe's Content Decryption Module (CDM), which allows the playback of DRM-protected content online. However, users can choose to either disable or uninstall Adobe's CDM, or download a version of Firefox 38 which does not include it at all.

Interested?: Firefox 38 asks 'would you like DRM with that?'

Read on: In the world of security

Editorial standards