Patch Management

Firefox 25 includes patches for critical memory bugs

October 30, 2013

On Tuesday, Mozilla introduced Firefox 25 to users, releasing 10 patches for bugs in its browser.

Of the 10 fixes, five were patches for vulnerabilities deemed “critical,” meaning the bug can be exploited by an attacker to run malicious code and install software requiring “no user interaction beyond normal browsing,” a Mozilla security advisory said.

Upon installing Firefox 25, users will address a total of 15 vulnerabilities in the browser. Critical issues consist of use-after-free vulnerabilities, a memory corruption issue in JavaScript engine, and several memory safety bugs.

Of note, patch MFSA 2013-93 plugged memory safety bugs that could potentially allow an attacker to run code of their choosing, Mozilla warned.

“Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products,” the patch advisory said. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”

Bugs posing a “moderate” and “high” threat to users were fixed with the remaining five patches in the release. The fixes addressed a number of issues, including a security bypass vulnerability that could lead to information disclosure of local system files and an issue that could be exploited to spoof displayed address bars, leading to clickjacking attacks.

“Clickjacking” is a hacker method used to reroute traffic to websites and online advertisements of the attackers' choosing.

prestitial ad