Published on: 13 May 2015
Mozilla has published security advisories to address multiple vulnerabilities found in Firefox and Thunderbird. These vulnerabilities are caused by memory safety bugs in the browser engine, buffer overflow during rendering SVG format graphics or parsing compressed XML content, an out-of-bounds read and write in asm.js during JavaScript validation, and a use-after-free flaw during text processing with vertical text enabled. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.
Depending on the vulnerability exploited, a successful attack could lead to application crash, bypass of security restrictions, elevation of privilege, information disclosure and arbitrary code execution.
Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:
Currently, the patch for Thunderbird is still pending from the product vendor. Since the vulnerability could be exploited by simply viewing a malicious website, as an interim measure as well as security best practices, users are reminded not to visit suspicious websites, nor follow URL links from un-trusted sources or emails such as spam, and to keep the virus signature as well as detection and repair engine up-to-date.
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-49/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-52/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-53/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-55/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-56/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-58/
https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
http://www.mozilla.org/en-US/firefox/organizations/all/
https://www.hkcert.org/my_url/en/alert/15051307
https://www.us-cert.gov/ncas/current-activity/2015/05/12/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2708 (to CVE-2015-2718)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2720