Security Alert (A15-08-04): Multiple Vulnerabilities in Firefox


 

Published on: 12 August 2015

Description:

Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by memory safety bugs in the browser engine, use-after-free error, integer overflows when handling MPEG4 video and buffer overflows in the Libvpx library used for WebM video. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.


Affected Systems:

  • Firefox prior to version 40
  • Firefox ESR 38.x prior to version 38.2
    (Firefox ESR 31.x could also be affected but it has reached end-of-support)

Impact:

Depending on the vulnerability exploited, a successful attack could lead to application crash, bypass of security restrictions, elevation of privilege and arbitrary code execution.


Recommendation:

Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:

  • Firefox 40 for Windows, Macintosh and Linux
    http://www.mozilla.org/en-US/firefox/all.html

  • Firefox ESR 38.2 for Windows, Macintosh and Linux
    http://www.mozilla.org/en-US/firefox/organizations/all/

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.


Users of Firefox ESR 31.8 should be reminded that the product has reached end-of-support on 11 Aug 2015 and there will not be any patches available. Users should consider upgrading to newer versions for protections.

More Information:

https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/
https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
https://www.hkcert.org/my_url/en/alert/15081216
https://www.us-cert.gov/ncas/current-activity/2015/08/11/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and-Firefox
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473 (to CVE-2015-4475)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477 (to CVE-2015-4493)



Tag: Firefox , Mozilla
Tags