Firefox 36 Arrives With Patches For Three Critical Flaws

Mozilla has patched 16 security vulnerabilities in Firefox, including three critical flaws in the browser.

One of the critical vulnerabilities patched with the release of Firefox 36 is a buffer overflow in the libstagefright library that can be exploitable under some circumstances.

“Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash,” the Mozilla advisory says.

Among the other critical bugs patched in this release is a use-after-free vulnerability in the indexdDB component of the browser.

“Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash,” Mozilla said in its advisory.

Firefox 36 also includes patches for a variety of memory safety vulnerabilities. The new release also includes fixes for a number of high-risk vulnerabilities, one of which affects the Mozilla updater function in the browser. The bug could let an attacker load malicious files.

“Security researcher Holger Fuhrmannek reported that when the Mozilla updater is run directly, the updater will load binary DLL format files from the local working directory or from the Windows temporary directories. This occurs when it is run without the Mozilla Maintenance Service on Windows systems. This allowed for possibly malicious DLL files to execute with elevated privileges if a user agrees when a User Account Control (UAC) prompt from Windows is displayed,” the advisory says.

The new browser also includes fixes for a handful of other medium and low-risk security bugs.

Suggested articles

Discussion

  • Rick on

    Today my Firefox died. NOTHING will revive it. I tried everything that their website help suggested. Nothing worked. I even un-installed and then installed from their website. Still dead. I keep getting "Firefox is not responding" ... EPIC FAIL, Mozilla Firefox!!
  • Mmm on

    http://threatpost.com/firefox-36-arrives-with-patches-for-three-critical-flaws/111284#comment-492240 Try to use on other computer or laptop, if they do work, ur PC is FAIL.
  • Rick < FAIL on

    ^ Its work on my PC, so ur PC is FAIL
  • Bob on

    Do version numbers on mobile versions of Firefox correspond to desktop version numbers? I just tried to update my tablet version from version 35 and it said that no version is available.
  • Alice on

    Hello! chat leaves a dangerous privacy hole in the browser. It makes proxies and vpn useless. to fix it set media.peerconnection.enabled = false in about:config

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.