The Mozilla Foundation released Firefox 24 yesterday, issuing 17 security patches for the browser. Seven of the bulletins received the highest, critical impact rating, four are considered high impact advisories, the second most severe rating, and the remaining six are of moderate impact.
Mozilla’s patch contained more total and critically rated advisories than any other since January.
According to Mozilla’s security advisories, critical impact bugs are those that give attackers the ability to run code or install malicious software with no user interaction beyond typical browsing:
The first critical advisory, MFSA 2013-92, resolves a garbage collection hazard with default compartments and frame chain. The bug, which could be exploited to establish a use after free scenario, was uncovered by a security researcher operating under the handle Nils and a Mozilla developer named Bobby Holley.
MFSA 2013-90 is a pair memory corruption bugs also reported by Nils. The first led to a use after free condition while scrolling through an image document and the second had to do with nodes in a range request being added as children of two different parents.
Security researcher Aki Helin reported found that combining lists, floats, and multiple columns could trigger an exploitable buffer overflow, which mozilla fixes with MFSA 2013-89.
Using the address sanitizer tool, researcher Scott Bell discovered a use-after-free condition after destroying a <select> element form. If MSFA 2013-81 goes unpatched, it could lead to a potentially exploitable crash.
Chrome security team member Abhishek Arya found a crashable use-after-free problem (MSFA 2013-79) in the Animation Manager while also using the address sanitizer tool.
MSFA 2013-78 patches an integer overflow bug, discovered by Alex Chapman, in the Almost Native Graphics Layer Engine (ANGLE) library that Mozilla uses. The vulnerability existed because “of insufficient bounds checking in the drawLineLoop function, which can be driven by web content to overflow allocated memory, leading to a potentially exploitable crash.”
The last critical impact bulletin, MSFA 2013-76, fixes a handful of memory safety hazards uncovered by Mozilla developers.
The four high impact advisories fix a JavaScript compartment mismatch issue, an issue in Firefox for Android that allows the loading of shared objects from writeable locations, Mozilla’s failure to lock MAR files after signature verification, a problem that could potentially allow an attacker to run executable files, and another crash-bug that has to do with the calling scope for JavaScript objects. High impact vulnerabilities are those that an attacker can exploit to gather sensitive data from other sites the user is visiting or inject data or code into those sites, also while the user is browsing normally.
Moderate impact bugs are high of critical impact bugs that an attacker could only exploit under uncommon circumstances when a user is running non-default configurations. Mozilla’s fixes for these bugs are as follows: user-defined properties on DOM proxies get the wrong “this” object, WebGL Information disclosure through OS X NVIDIA graphic drivers, uninitialized data in IonMonkey, same-origin bypass through symbolic links, NativeKey continues handling key messages after widget is destroyed, and improper state in HTML5 Tree Builder with templates.