Mozilla releases Firefox 42, fixes several vulnerabilities

Mozilla released Firefox 42 Tuesday fixing 18 vulnerabilities, with half of those being considered critical or high on Mozilla’s impact scale.
Mozilla released Firefox 42 Tuesday fixing 18 vulnerabilities, with half of those being considered critical or high on Mozilla’s impact scale.

Mozilla released Firefox 42 Tuesday fixing 18 vulnerabilities, with half of those being considered critical or high on Mozilla's impact scale.

The three patches deemed critical take care of NSS and NSPR memory corruption issues, vulnerabilities found through code inspection and miscellaneous memory safety hazards.

“If these issues were triggered, they would lead to a potentially exploitable crash,” the company said in critical advisory 2015-133 for the NSS and NSPR issue.

The six “high risk” vulnerabilities include JavaScript garbage collection crash, which is potentially exploitable; memory corruption in libjar through zip files that can create an exploitable crash; and a fix that stops an XSS attack through intents on Firefox for Android.

The seven moderate risk patches fix items such as Android intents can be used on Firefox for Android to open privileged files; buffer overflow during image interactions in canvas; Firefox for Android address bar can be removed after fullscreen mode that could allow a hacker to change the address.

“When Firefox for Android exits fullscreen mode, it can be induce through script to not restore the address bar when the window is redrawn in normal mode. This could allow an attacker to spoof the address bar with their own content,” Mozilla said in advisory 2015-119.

The two low priority fixes take care of information disclosure through NTLM authentication and stopping certain escaped characters in hostnames being parsed incorrectly and then being treated as non-escaped.

“An attacker can craft a malicious page to send a silent NTLM request that will disclose the information without visibility in the client, leading to information disclosure,” Mozilla said in advisory 2015-117 concerning the first low priority vulnerability.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS