Published on: 01 April 2015
Mozilla has published security advisories to address multiple vulnerabilities found in Firefox and Thunderbird. These vulnerabilities are caused by memory safety bugs in the browser engine, a use-after-free flaw in handling certain MP3 files by Fluendo MP3 plugin, memory corruption during 2D graphics rendering and type confusion flaws. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.
Depending on the vulnerability exploited, a successful attack could lead to cross-site scripting, information disclosure and arbitrary code execution.
Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:
Currently, the patch for Thunderbird is still pending from the product vendor. Since the vulnerability could be exploited by simply viewing a malicious website, as an interim measure as well as security best practices, users are reminded not to visit suspicious websites, nor follow URL links from un-trusted sources or emails such as spam, and to keep the virus signature as well as detection and repair engine up-to-date.
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-32/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-35/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-36/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-41/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-42/
https://www.mozilla.org/en-US/firefox/37.0/releasenotes/
http://www.mozilla.org/en-US/firefox/organizations/all/
https://www.hkcert.org/my_url/en/alert/15040101
https://www.us-cert.gov/ncas/current-activity/2015/03/31/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816