Patch/Configuration Management, Vulnerability Management

Mozilla updates Firefox; issues patch for ‘critical’ vulnerability

Mozilla updated its Firefox browser to version 39.0.3, and along with its update comes fixes for multiple vulnerabilities, including one “critical” bug and three flaws rated “high severity."

The critical vulnerability, spotted in the wild earlier this week, comes from the “interaction of the mechanism that enforces JavaScript context separation (the ‘same origin policy') and Firefox's PDF Viewer,” the company wrote in a blog post. Although possible attackers couldn't exploit the vulnerability to execute arbitrary code, the criminals would be able to inject a JavaScript payload into the local file context. This could allow an attacker to search for and upload local files.

While only Windows and Linux users were impacted, Mac users could be vulnerable if a person creates a new payload.

In addition to updating their browser, Mozilla suggests users update passwords and keys associated with affected files. 

Included among the high severity vulnerabilities was one bug in USB Mass Storage handling of Firefox OS that could have allowed unauthorized access to device data through the USB interface. The two other high severity vulnerabilities involved remote HTML tag injection in Gaia's system app. Gaia is the user interface level of Firefox OS, and everything that appears onscreen after the browser's OS loads is drawn by Gaia.

One of the flaws could have allowed unauthorized access to device data through the USB interface and could expose USB media volumes to USB hosts while a device is locked with a passcode. The other Gaia-related bug could allow attackers to inject HTML code into the system app's context through specially crafted search links.

The update also pegged three other vulnerabilities, one of “moderate” severity and the other two of “low” severity.

Mozilla defines critical vulnerabilities as any that can “be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” On the opposite end of the spectrum, low severity bugs are defined as any “minor security vulnerabilities such as denial-of-service attacks, minor data leaks or spoofs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.