Firefox 41 Releases, Clears Vulnerabilities

Thursday, September 24, 2015 @ 04:09 PM gHale

Mozilla released Firefox 41 Tuesday patching vulnerabilities in 19 security advisories, four labeled critical.

One of the fixes was for a missing bounds check that led to memory safety errors when manipulating shaders. This could lead to writing to unowned memory. A second similar issue also affected shaders when insufficient memory ends up allocated for a shader attribute array. Both issues could lead to an exploitable crash. The errors were in the libGLES in the ANGLE graphics library.

Mozilla Patches Bugzilla Vulnerability
Firefox Update Fixes 2 Security Flaws
Zero Day Flaws in Browsers for Android
Emergency Patch for IE

A separate use-after-free vulnerability, reported through HP’s Zero Day Initiative (ZDI), involved HTML media elements on a page during script manipulation of the URI table of those elements. This, too, would result in a potentially exploitable crash.

The release also addresses five high level advisories, or those that contain vulnerabilities that can gather sensitive data from sites in other windows or inject data or code into those sites with no more than normal browsing actions.

One of these bugs, CVE-2015-4505, allowed for arbitrary code execution by a malicious use with local system access when the Mozilla updater runs. It can end up manipulated to load updated files from a working directory under user control, and when the updates end up run by the Mozilla Maintenance Service on Windows, the file can run with elevated privileges and replace arbitrary files on the system.

The new browser version also comes with added functionality for Firefox Hello Beta, a self-described “global communications systems built directly into a browser.” The new feature will allow users to send and receive instant messages when they’re in a Firefox video call.