Mozilla has officially released its latest build Firefox 31 for all supported platforms, addressing 11 vulnerabilities in total, three of which are marked critical that could have been exploited by hackers to mount remote code execution attacks.
Mozilla Firefox recommends its users to install the security update as soon as possible, warning that the three critical vulnerabilities discovered in its browser could be exploited by attackers and leverage them to "run attacker code and install software, requiring no user interaction beyond normal browsing".
CRITICAL VULNERABILITIES
The three major vulnerabilities are as follows:
- MFSA 2014-62 - This is one of the three critical vulnerabilities reported by Patrick Cozzi and get fixed in the newer version of the browser. The vulnerability allows the exploitation of a WebGL crash with Cesium JavaScript library. Much details about the flaw are not known at the time, but Mozilla notes that the flaw cannot be exploited through email in the Thunderbird client because scripting is disabled.
- MFSA 2014-59 - The second critical flaw discovered in the browser, reported by Mozilla community member James Kitchener, refers to a use-after-free vulnerability when handling DirectWrite font. The vulnerability could be exploited by an attacker to crash Firefox due to an error in the way it handles font resources and tables, when rendering MathML content with specific fonts. However exploiting this flaw would be possible only on Windows platform, it does not affect OS X or Linux systems.
- MFSA 2014-56 - This vulnerability refers to miscellaneous memory safety hazards, identified by Mozilla developers, that affected Mozilla version 30. Mozilla fixed several memory safety bugs in its browser engine used in Firefox and other Mozilla-based products in order to safeguard its customers.
"Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla wrote.
OTHER SECURITY VULNERABILITIES
Mozilla also addresses two high rated vulnerabilities that cause a potential danger, as they could be used by an attacker to fetch users' personal and sensitive information from other websites they visit or inject malicious code into those websites to infect users.
Moreover, the security issues fixed in the latest revision of Firefox mostly refer to use-after-free vulnerabilities, in Web Audio, with the FireOnStateChange event and when manipulating certificates in the trusted cache.
Also, to provide more security to its customers, the company has announced a protection mechanism against malicious downloads in its latest build. The feature relies on the Safe Browsing API from Google and leverages application reputation information to detect malware in file downloads.
The protection mechanism consists in verifying the metadata, such as download URL, SHA-256 hash, details about the certificate, belonging to the item requested by the user, and comparing it to a given block list.
Based on a local list of files and remote one, the verification of the metadata is carried out. If a match is found the file is not saved to disk. On the other hand, when files are signed, they are matched from a given whitelist, and the binary is marked as trusted and as a result of it, the remote check is no longer performed.
Additionally, a new SSL/TLS certificate verification is now available on Firefox latest build 31 that uses a more powerful and easier to maintain "mozilla::pkix" library. No doubt this change would go unnoticed by the regular user, but it would protect its users from the compatibility issues arose for websites that do not use an authorized certificate accepted in the Mozilla CA Program.
Update your Mozilla Firefox and Thunderbird as soon as possible. Stay Safe! Stay Secure!