Firefox 46 Patches Critical Memory Vulnerabilities

Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution.

Mozilla yesterday updated Firefox and patched 10 vulnerabilities, one which was rated critical.

Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser.

The critical vulnerability was found internally and included four memory-related flaws in the browser engine used by Firefox and other Mozilla software.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in its advisory.

All four bugs—CVE-2016-2807, CVE-2016-2806, CVE-2016-2805, and CVE-2016-2804—cause the browser to crash; CVE-2016-2805 affects only Firefox ESR 38.8.

As for the high-severity vulnerabilities, one publicly disclosed by researchers at Newcastle University in the U.K. affects only mobile versions of Firefox for Android. The researchers found that they could use JavaScript with orientation data and motion sensors of the mobile browser to disclose user actions on the device.

“This allows an attacker to infer touch actions on the device through these sensors when orientation events are triggered in the browser, compromising user privacy and including potentially revealing entered PIN code data along with other user activities,” Mozilla said in its advisory.

Mozilla also patched a buffer overflow in libstagefright because of the way it handles CENC offsets and sizes table, and a use-after-free and buffer overflow flaws in Firefox’s Service Workers.

The remaining high-severity bug was disclosed privately by the information security arm of the U.K. intelligence agency GCHQ. The flaw is that the .watch() JavaScript method could overflow the underlying HashMap and allow an attacker to write to an invalid entry.

“Under the right conditions this write could lead to arbitrary code execution,” Mozilla said in its advisory. “The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack.”

Mozilla also patched a handful of flaws it rated as moderate severity because they work only in non-default configurations, or require extra actions on the user’s part to exploit.

Suggested articles