Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by use-after-free crash or failure to restrict access to the HTTP cache if electrolysis (e10s) is disabled. A remote attacker could entice a user to open a web page with specially crafted content or send malicious add-on updates to exploit the vulnerabilities.
A successful attack could lead to information disclosure or denial of service on an affected system.
Mozilla has released a new version of the product to address the issues and it can be downloaded at the following URLs:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.mozilla.org/security/advisories/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
https://www.hkcert.org/my_url/en/alert/16102402
https://www.us-cert.gov/ncas/current-activity/2016/10/20/Mozilla-Releases-Security-Update-Firefox
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5288