The Mozilla Foundation yesterday released nine security updates fixing as many vulnerabilities in its popular Firefox browser. The fixes address three critical vulnerabilities, and others rated high and moderate.
Mozilla issues critical ratings for bugs an attacker can exploit in order to run code and install software without any user interaction beyond normal browsing activity. All of the critically rated bugs affect Firefox 34, extended support release 31.3 (on which the Tor Browser Bundle is based) and Thunderbird 31.3
Advisory 2014-88 — discovered by Abishek Arya (AKA Inferno) of the Google Chrome Security Team — resolves a buffer overflow during the parsing of media content that could lead to an exploitable crash. In its advisory, Mozilla notes that the flaw is not generally exploitable via email in Thunderbird because scripting is disabled, though it’s risky in browsers and browser-like environments.
The second critical bug, advisory 2014-87, was discovered by security researcher Berend-Jan Wever. It’s a user-after free in the HTML5 parsing process triggered by the creation of secondary root elements. Like the previous vulnerability, this one cannot be exploited via email in Thunderbird because scripting is disabled. However, in browser’s it could cause an exploitable crash.
> #Mozilla yesterday issued nine #security updates for exploitable vulnerabilities in #Firefox, Firefox ESR & Thunderbird > > Tweet
Advisory 2014-83 resolves a number of memory safety hazards — again not exploitable via email in Thunderbird — uncovered by the Mozilla developers community. Mozilla claims that some of the bugs have shown evidence of memory corruption under certain circumstances and believes that some of them may enable attackers to run arbitrary code as well.
Mozilla rates bugs as high in cases where an attacker can exploit the vulnerability in order to gather sensitive data from sites in other windows or inject code into those sites, again requiring nothing more than typical browsing behavior. Advisory 2014-86 resolves a data leak issue in content security policy violation reports in Firefox 34 that could potentially spill sensitive information such as usernames or single sign-on tokens during a redirect. Advisory 2014-89 fixes a bad casting issue from the BasicThebesLayer to the BasicContainerLayer that is potentially exploitable in Firefox, Firefox ESR and Thunderbird. Mozilla also released a fix for CoreGraphics framework for Mozilla users on Apple’s Yosemite operating system affecting Firefox, Firefox ESR and Thunderbird.
Moderately rated bugs are those that would otherwise be considered highly or critically rated but require unusual circumstances in order to be exploitable. In this round of patches, Mozilla fixed a problem that allowed privileged access to security-wrapped access (2014-91), an issue that triggered XMLHttpRequest crashes with some input streams (2014-85) and a mistake that made XBL bindings accessible via improper CSS declarations.
You can find more information about these bugs and their respective fixes on the Mozilla Foundation Security Advisories website.