Security Alert (A15-08-08): Multiple Vulnerabilities in Firefox

Description:

Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by use-after-free error or add-on notification bypass through "data:" URL. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.

Affected Systems:

• Firefox prior to version 40.0.3
• Firefox ESR 38.x prior to version 38.2.1
  (Firefox ESR 31.x could also be affected but it has reached end-of-support)

Impact:

Depending on the vulnerability exploited, a successful attack could lead to application crash, bypass of security restrictions or arbitrary code execution on an affected system.

Recommendation:

Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:

• Firefox 40.0.3 for Windows, Macintosh and Linux
  http://www.mozilla.org/en-US/firefox/all.html
  
  
• Firefox ESR 38.2.1 for Windows, Macintosh and Linux
  http://www.mozilla.org/en-US/firefox/organizations/all/
  
  

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/
https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
https://www.hkcert.org/my_url/en/alert/15082801
https://www.us-cert.gov/ncas/current-activity/2015/08/27/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4497 (to CVE-2015-4498)