Mozilla patched several critical vulnerabilities with the release of its Firefox 67 browser on Tuesday.
The worst of the bugs patched are two memory safety flaws that could allow attackers to exploit the vulnerabilities to take control of an affected system, according to a security bulletin issued by United States Computer Emergency Readiness Team (US-CERT).
One of the critical bugs (CVE-2019-9800) impacts the Firefox and the Firefox ESR browser in version 66. The Firefox ESR browser is its Extended Support Release version of Firefox, designed for mass deployments.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” wrote Mozilla in its bulletin.
A second critical memory vulnerability (CVE-2019-9814), found in Firefox 66 (but not in Firefox ERS), could also be exploited to run arbitrary code, according to Mozilla.
The technical specifics of both the critical bugs have not yet been released. Still unknown is whether either critical vulnerability can be exploited remotely or if they require local access to impacted systems.
As with all bugs publicly disclosed Tuesday, upgrading to the latest Firefox 67 browser will patch the flaws. In all, Mozilla issued patches for 21 bugs. Of those patches, two were rated critical, 11 high, six moderate and two low.
Mozilla Firefox 67 Touts Privacy and Speed
The bug fixes coincide with a significant update to the Firefox browser that introduces privacy additions and under-the-hood tweaks to make the browser more competitive with Google Chrome in the speed department.
On the privacy front, Mozilla Firefox 67 now blocks cryptomining scripts and a browser’s digital fingerprints. Digital fingerprinting is when a website can identify a user based on a unique set of visitor’s system parameters such as screen information, operating system version, browser time zone and installed plugins, cookies, time on site, clicks on site locations, mouse and touchscreen behavior.
“Today’s Firefox release gives you the option to ‘flip a switch’ in the browser and protect yourself from these nefarious practices,” wrote Marissa Wood, vice president of Firefox product management at Mozilla.
Mozilla has also enhanced its Private Browsing features. Firefox 67 now allows users to browse in Private Browsing mode and still take advantage of store passwords. Another safety, security and privacy feature gives users the ability to disable and enable web-extensions when in Private Browsing mode.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.