Chemical Safety Incidents
Firefox 49 Patches Vulnerabilities
Friday, September 23, 2016 @ 05:09 PM gHale
Mozilla patched vulnerabilities with the release of Firefox 49, including a certificate pinning issue that exposes users to man-in-the-middle (MitM) attacks.
Critical flaws include various memory safety issues found by Mozilla developers and community members. Some of these weaknesses can end up leveraged to execute arbitrary code.
A couple of buffer overflows related to working with empty filters during canvas rendering and encoding image frames to images have also been rated critical.
The certificate pinning vulnerability comes in as a high severity flaw. The problem ends up caused by issues in the process used by Mozilla to update Preloaded Public Key Pinning, making pinning for add-on updates ineffective since the launch of Firefox 48 on September 10.
The flaw allows an MitM attacker who can obtain a certificate for addons.mozilla.org to replace legitimate add-on updates with malicious versions. This can lead to arbitrary code execution on the targeted system and no user interaction ends up required.
The attack is not easy to carry out, but researchers believe the vulnerability could end up leveraged by state-sponsored actors and criminal organizations.
The high severity bugs patched by Mozilla also include heap-buffer overflow, out-of-bounds read, bad cast, use-after-free and other weaknesses that could lead to information disclosure, crashes and arbitrary code execution. In addition to the critical and high severity flaws, Firefox 49 resolves two moderate and two low severity issues.