Firefox: Mozilla patches critical flaws that let attackers execute malicious code

Mozilla fixes critical bugs in Firefox 46 and makes progress in Firefox 47 on moving to a plugin-free future for video streaming.
Written by Liam Tung, Contributing Writer

The new version of Firefox includes fixes for 10 security issues found in earlier releases.

Image: Mozilla

Mozilla has released Firefox 46 and patched several memory bugs that could let an attacker take control of a system.

The new version of Firefox includes fixes for 10 security issues in earlier releases, including one issue stemming from several memory-safety bugs in the browser engine.

"Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla notes in the advisory.

The update also resolves four high-impact issues in Firefox, including a difficult but not impossible to exploit vulnerability discovered by CESG, the information security arm of UK spy agency, GCHQ.

Mozilla notes that CESG found that, "The JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry."

"Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack," Mozilla explained.

Another set of bugs found by a researcher at the UK's Newcastle University could expose PIN code data on Firefox on Android. The researchers found they were able to infer touch actions on a browser through a device's orientation data and motion sensors.

"They found vulnerabilities in Firefox for Android using orientation data and motion sensors on a mobile device's browser accessible through JavaScript," Mozilla said in the advisory.

Another high impact bug relates to a use-after-free and a race condition stemming from Service Workers using Address Sanitizer. This flaw could lead to a crash, Mozilla said.

Finally, the update resolves a potentially exploitable crash due to a buffer-overflow flaw in the libstragefright library.

"Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content," said Mozilla.

Mozilla also released the public beta of Firefox 47 and its release notes indicate two significant changes in its handling of video and plugins.

It will now allow embedded YouTube videos to play with HTML5 video if Adobe Flash is not installed.

It has also enabled support for Google's Widevine CDM on Windows and Mac OS X, which is a key part of Mozilla's longer term plan to remove Netscape Plugin Application Programming Interface (NPAPI) plugin support and address the security and stability problems caused by plugins such as Adobe Flash Player.

Mozilla had previously supported Adobe's Primetime CDM to enable DRM protected HTML5 video streaming playback. Widevine support enables streaming that relies on Silverlight.

"It will allow websites to show DRM-protected video content in Firefox without the use of NPAPI plugins," Mozilla noted earlier this month.

Editorial standards