Mozilla released the 25th version of its mobile and desktop Firefox browser yesterday, fixing 10 vulnerabilities, five of them critical.
The United States Computer Emergency Readiness Team (US-CERT) warned yesterday the vulnerabilities could let an attacker execute arbitrary code, bypass access restrictions, obtain sensitive information and cause a denial-of-service (DoS) condition.
According to the Mozilla Security Foundation Advisory, the critical fixes address a few problems, namely a series of use-after-free bugs and memory bugs in the JavaScript engine that can open the system up to attackers and lead to a crash.
While not critical, another bug discovered by security researcher Cody Crews was patched that could have let an attacker append an iFrame into an embedded PDF object. The result could have led to the disclosure of local system files and the bypassing of security restrictions.
According to the company’s bug-tracking database Bugzilla, 565 bugs in total were fixed in Firefox 25.0.
While Mozilla’s Thunderbird mail client (24.1) and Seamonkey (2.22) Internet application suite were also updated yesterday, most of the bugs fixed were only at risk of being exploited in the Firefox browser or Firefox “browser-like contexts.” Since scripting is disabled in Thunderbird and Seamonkey, it makes them less likely to be exploited.
Mozilla’s mobile version got an upgrade yesterday as well, bringing some existing security features from the desktop browser to Android devices.
One of those features, mixed content blocking, introduced in the main Firefox browser back in August should protect users from man-in-the-middle attacks and eavesdroppers on HTTPS pages. The feature reduces the threat of insecure images, audio and JavaScript on HTTPS pages by blocking them by default.
The latest mobile build also supports guest browsing, making it easier for users to lend their device to others without having them have to worry about revealing any sensitive bookmarks or history.
Both guest browsing and mixed content blocking features were introduced in the beta version of the mobile browser back in September but officially went live in the stable version yesterday.
Per usual, both versions of Firefox, for mobile and desktop, along with updated versions of Thunderbird and Seamonkey are available at their respective download pages.