Tech

Firefox 45 browser update patches 22 critical vulnerabilities

The latest Mozilla Firefox round of patches is laden with fixes for a number of security problems.

Written by Charlie Osborne, Contributing Writer March 10, 2016 at 2:01 a.m. PT

The latest version of the Firefox browser comes with security fixes for a total of 40 vulnerabilities, 22 of which are deemed critical.

Firefox 45, released on Tuesday, includes a total of 21 security advisories, including nine critical bulletins.

The majority of the bugs were discovered in the Graphite 2 font processing library. A total of 14 bugs were named in one advisory alone, of which there are heap buffer overflow read and write problems, uninitialized memory errors and out-of-bounds write errors.

Combined with another vulnerability, an out-of-bounds write with a malicious font, and you have a potentially exploitable crash on your hands.

Security

The update also resolves a number of use-after-free vulnerabilities during XML transformations, as well as when a user is running multiple WebRTC data channels.

The same kind of vulnerability was also spotted in the Service Worker Manager platform, the HTML function SetBody and HTML5 string parser functions.

Another critical vulnerability fixed within Firefox 45 is a heap-based buffer overflow vulnerability in Network Security Services (NSS) libraries parsed certain ASN.1 structures. In addition, Mozilla has patched a number of memory corruption bugs which could be exploited to run arbitrary code.

Mozilla has also provided fixes for less severe security issues, including WebRTC and LibVPX vulnerabilities, use-after-free issues, same-origin policy violations and a memory leak in libstagefright.

Alongside the security fixes, Mozilla has also decided to remove features which have not proved popular with users. Tab Groups have now been removed for users of the Firefox browser on Windows, Mac and Linux, although users can still keep this functionality if they wish through add-ons.

In addition, Firefox Android versions 3.0 through 3.2.6 -- otherwise known as Android Honeycomb -- will soon lose the organization's support.