Mozilla updated its Firefox browser to version 39.0.3, and along with its update comes fixes for multiple vulnerabilities, including one “critical” bug and three flaws rated “high severity."
In addition to updating their browser, Mozilla suggests users update passwords and keys associated with affected files.
Included among the high severity vulnerabilities was one bug in USB Mass Storage handling of Firefox OS that could have allowed unauthorized access to device data through the USB interface. The two other high severity vulnerabilities involved remote HTML tag injection in Gaia's system app. Gaia is the user interface level of Firefox OS, and everything that appears onscreen after the browser's OS loads is drawn by Gaia.
One of the flaws could have allowed unauthorized access to device data through the USB interface and could expose USB media volumes to USB hosts while a device is locked with a passcode. The other Gaia-related bug could allow attackers to inject HTML code into the system app's context through specially crafted search links.
The update also pegged three other vulnerabilities, one of “moderate” severity and the other two of “low” severity.
Mozilla defines critical vulnerabilities as any that can “be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” On the opposite end of the spectrum, low severity bugs are defined as any “minor security vulnerabilities such as denial-of-service attacks, minor data leaks or spoofs.”