Mozilla fixes critical vulnerabilities in Firefox browser and Extended Support Release
Script fails, thousands of Mozilla developer emails and passwords possibly exposed
Mozilla yesterday issued two security advisories announcing key updates to its Firefox browser and the Firefox Extended Support Release (ESR), both of which fixed vulnerabilities that the open-source developer labeled as critical.
The latest iteration of the Firefox browser, version 44.0.2, has addressed a critical vulnerability surrounding the ability of service workers to intercept responses to plug-in network requests. Plug-ins responsible for making security decisions were susceptible to forged, malicious responses that would allow websites to override same-origin policies — an important security measure that forbids web pages from accessing sensitive data on other web pages unless they share the same origin.
Meanwhile, version 38.6.1 of the Firefox ESR has patched a vulnerability associated with a malicious Graphite 2 smart font capable of triggering an arbitrary code execution. According to Mozilla, the malicious font “could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXT_ITEM instructions,” potentially resulting in code execution. Mozilla addressed issue by integrating more updated version of Graphite 2 into its ESR.