Network Security, Patch/Configuration Management, Vulnerability Management

Mozilla’s Firefox 47 patches 13 vulnerabilities, two critical

In its latest Firefox browser release, Mozilla this week fixed two critical vulnerabilities – a buffer overflow hazard and a set of memory safety hazards – plus 11 other security holes ranging from low to high in severity.

Discovered by the security researcher “firehack,” the buffer overflow issue (CVE-2016-2819) would occur while parsing HTML5 fragments in a foreign context such as under an SVG (Scalable Vector Graphics) node. According to Mozilla in its security advisory, inserting an HTML fragment into an existing document can trigger a “potentially exploitable crash.”

The other severe flaw was described as miscellaneous memory safety hazards (CVE-2016-2818 and CVE-2016-2815) found in Firefox and its Extended Support Release. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla wrote.

Among the vulnerabilities patched in Firefox 47 that had a high level of severity was a bug that under certain circumstances created a pointerlock without user permission. This pointerlock could not be cancelled without terminating the browser, thus resulting in a persistent denial of service attack. Another was a flaw whereby the Mozilla Windows updater could be used to overwrite arbitrary files, which could have led to an unauthorized privilege escalation.

Other high severity flaws that were addressed included an out-of-bounds write when using the ANGLE graphics library for WebGL (Web Graphics Library) content, and two use-after-free vulnerabilities, which are a type of memory corruption flaw that can be exploited if someone attempts to access and reuse memory after it has been freed.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.