Mozilla fixed 13 security issues, including two critical vulnerabilities that could have led to spoofing and clickjacking, among other issues, when it updated Firefox to the latest build, Firefox 47, this week.
One of the issues, a buffer overflow, could have resulted in a potentially exploitable crash according to an advisory published by the company on Tuesday. According a security researcher that goes by the handle firehack, the overflow could have popped up when the browser parsed HTML5 fragments in a foreign context. When a fragment was inserted into an existing document, it could’ve crashed the browser.
The second critical issue corresponds to not one, but several memory safety bugs reported by 14 different Mozilla developers and community members. The details of the bugs weren’t revealed, but according to the advisory the likeliness that some could be exploited to run arbitrary code was high enough that it warranted fixing.
A handful of vulnerabilities branded high by the company were also fixed in Firefox this week, including two out-of-bounds write vulnerabilities and two use-after-free vulnerabilities. If exploited they could lead to privilege escalation, a potential crash, and persistent denial of service attacks, to name a few outcomes. In addition to the DoS attack, an attacker would be able to manipulate pointerlock, a web API, so that it could lead to spoofing and clickjacking attacks, Mozilla warns.
Firefox 47 also switches all NPAPI plugins, other than Flash, to click-to-activate by default.
The whitelist plugin has been expired in the eyes of Mozilla developers for a while now. Mozilla previously announced plans to completely remove support for NPAPI plugins in Firefox by the end of 2016. This week’s move should preemptively help thwart attackers who have increasingly preyed on plugin exploits. Benjamin Smedberg, an Engineering Manager at Mozilla rationalized a few months ago that there would be a minority of users affected by the move, but the bulk of the plugins are neither used nor relevant. Either way, users should still be able to activate them manually.
For the most part, plugins have remained a steady source of performance problems, crashes, and security incidents for users, regardless of the browser. Google’s Chrome browser and Microsoft’s Edge browser have already removed support for legacy plugins over the past year.
The latest Firefox update also brings a handful of aesthetic changes to the browser, including improvements to YouTube playback, a sidebar for synced tabs, and a number of web platform changes. The update can be applied either through Firefox’s update mechanism, through Firefox.com. Some Android users who update Firefox through Google Play will be doing so for the last time. Mozilla previously announced that Firefox 47 is the last version Android Gingerbread it will support.