Mozilla yesterday issued two security advisories announcing key updates to its Firefox browser and the Firefox Extended Support Release (ESR), both of which fixed vulnerabilities that the open-source developer labeled as critical.
The latest iteration of the Firefox browser, version 44.0.2, has addressed a critical vulnerability surrounding the ability of service workers to intercept responses to plug-in network requests. Plug-ins responsible for making security decisions were susceptible to forged, malicious responses that would allow websites to override same-origin policies — an important security measure that forbids web pages from accessing sensitive data on other web pages unless they share the same origin.
Meanwhile, version 38.6.1 of the Firefox ESR has patched a vulnerability associated with a malicious Graphite 2 smart font capable of triggering an arbitrary code execution. According to Mozilla, the malicious font “could circumvent the validation of internal instruction parameters in the Graphite 2 library using special CNTXT_ITEM instructions,” potentially resulting in code execution. Mozilla addressed issue by integrating more updated version of Graphite 2 into its ESR.