Mozilla fixed 32 vulnerabilities, including a critical bug that could have resulted in a crash, with the release Tuesday of Firefox 54, the latest version of its flagship browser.
The critical bug, a use-after-free vulnerability, was dug up by longtime bug hunter Nils. The vulnerability (CVE-2017-5472) existed in the browser’s frameloader. Nils encountered the vulnerability during tree reconstruction while regenerating CSS layout. The researcher discovered that while attempting to access a node in the tree that didn’t exist, he could trigger a potentially exploitable crash.
The update also resolved a dozen vulnerabilities considered high impact by Mozilla, including three additional use-after-free bugs; one during video control operations, one in content viewer, and one during docshell reloading. While all of the vulnerabilities also could’ve resulted in a crash of the browser, Mozilla deemed them less serious than CVE-2017-5472.
Some of the vulnerabilities were specific to certain setups. One, CVE-2017-7759, could have allowed for the reading of local data by violating same origin policy – but only on Firefox for Android.
Another vulnerability (CVE-2017-7755) could have allowed privilege escalation via the Firefox installer – but only on Windows operating systems. That bug, discovered by Yuji Tounai, a Tokyo-based researcher with NTT Communications, could have enabled Firefox’s installer to load malicious DLL files stored in the same directory as the installer. An additional, separate Windows-specific issue also affected the browser’s installer. That bug, discovered by security researcher Holger Fuhrmannek, could have allowed manipulation of files stored in the installer’s directory and in turn, like Tounai’s issue, allowed privilege escalation.
Fuhrmannek has discovered a number of issues in Firefox, including another bug that could have allowed privilege escalation in Mozilla’s Maintenance Service updater, in Firefox 46 last year.
Mozilla also fixed four different vulnerabilities on Tuesday that could have led to address bar spoofing. According to Mozilla’s advisory, one bug allowed Tibetan characters to be displayed as whitespace on OS X. Mozilla said another bug enabled characters from the “Canadian Syllabics” unicode block to be mixed with characters from other unicode blocks to carry out domain name spoofing attacks.
None of the bugs were credited to Xudong Zheng, a Chinese researcher who brought to light in April a similar unicode bug that could have been used to carry out phishing attacks. Google fixed the vulnerability in Chrome 58 but Firefox developers said they were electing to stand pat on the issue. It appears Mozilla is in a holding pattern over Zheng’s vulnerability. At the time Firefox devs urged users to turn on Safe Browsing to protect them from phishing attacks.
In addition to the bug fixes, Mozilla is boasting that Firefox 54 is the first to run multiple operating system processes for web page content, something that it claims speeds up performance. Multi-process support, a project Mozilla dubbed Electrolysis, has been in development for years. The technology basically converts one web page process to four.