Mozilla fixed three critical vulnerabilities when it released Firefox 55 on Tuesday, including bugs that could have triggered a crash of the browser and allowed for the execution of arbitrary code.
The code execution vulnerability stems from an XUL injection vulnerability due to improper sanitization of the web page source code. XUL, or XML User Interface Language, is Mozilla’s language for building app interfaces. Frederik Braun, a Berlin-based security engineer for Mozilla who found the vulnerability, cautions the bug could allow for code execution if a user opened a malicious page with the browser’s style editor developer tool.
The other two critical bugs, use-after-free vulnerabilities, could have led to exploitable crashes.
One could have occurred in the browser’s WebSockets technology if “an object holding the connection is freed before the disconnection operation is finished.” The second bug, uncovered by longtime bug hunter Nils, could have occurred while “re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use.”
A handful of other issues, including four additional use-after-free vulnerabilities, a buffer overflow, and a same-origin bypass, all marked high severity, were also fixed on Tuesday. The bugs could be used to bypass memory protections, lead to information disclosure, or like the critical vulnerabilities, lead to a crash.
Twenty-nine vulnerabilities in total were fixed with Firefox 55, the first iteration of the browser to turn on click-to-activate functionality for Flash by default.
The move has been in the works for years. Mozilla first enabled click to play for virtually all plugins, except the latest release of Flash, back in 2013.
Previous versions of Firefox gave users the option to disable Flash by default. By allowing Flash to run on demand, the browser would prompt users whether they wanted to activate the software upon navigating to a page that required it.
The move comes a few weeks after Adobe announced that it would finally kill off Flash in 2020.
Benjamin Smedberg, a senior engineering manager at Mozilla, said shortly after Adobe’s announcement that Firefox was planning on disabling Flash by default in 2019. Firefox’s Extended Support Release (ESR) version will allow users to continue using Flash until the end of 2020.
“In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin,” Smedberg wrote.