Mozilla has fixed 13 security flaws in Firefox 38, including five critical vulnerabilities. The new version of the browser also includes a feature that enables the use of DRM-enabled video content in Firefox, a decision that comes with some controversy.
DRM (digital rights management), the generic name for technologies that are used to restrict the consumption of premium content, is widely seen as a flawed system, and Mozilla officials acknowledged that enabling DRM-wrapped content in Firefox was a difficult decision.
“A year ago, we announced the start of efforts to implement support for a component in Firefox that would allow content wrapped in Digital Rights Management (DRM) to be played within the HTML5 video tag. This was a hard decision because of our Mission and the closed nature of DRM. As we explained then, we are enabling DRM in order to provide our users with the features they require in a browser and allow them to continue accessing premium video content. We don’t believe DRM is a desirable market solution, but it’s currently the only way to watch a sought-after segment of content,” Denelle Dixon-Thayer of Mozilla wrote in a post.
“Today, Firefox includes an integration with the Adobe Content Decryption Module (CDM) to playback DRM-wrapped content. The CDM will be downloaded from Adobe shortly after you upgrade or install Firefox and will be activated when you first interact with a site that uses Adobe CDM.”
To help alleviate the potential user pushback on this decision, Mozilla also is offering a version of Firefox 38 that doesn’t include the CDM module. The company also has designed a sandbox that encompasses the CDM.
On the security patch side of things, Firefox 38 includes fixes for the five critical flaws, as well as five high-risk bugs and two moderately rated vulnerabilities. Among the critical bugs is a buffer overflow in the way the browser parses compressed XML.
“Security researcher Ucha Gobejishvili used the Address Sanitizer tool to find a buffer overflow while parsing compressed XML content. This was due to an error in how buffer space is created and modified when handling large amounts of XML data. This results in a potentially exploitable crash,” the Mozilla advisory says.
There is another buffer overflow with SVG content and CSS, as well as use-after-free vulnerability that occurs during some text processing operations. Firefox 38 also fixes a handful of memory safety issues.