Updated Firefox Fixes Critical Flaws

Tuesday, April 7, 2015 @ 06:04 PM gHale


Mozilla released a new version of Firefox that addresses several critical vulnerabilities and adds OneCRL, which should improve revocation of fraudulently issued intermediate certificates used for validating and securing the connection to a legitimate host.

Under Mozilla’s classification, a critical flaw can end up exploited to allow an attacker to run arbitrary code on the systems without any interaction from the user.

RELATED STORIES
Google Disavows CNNIC Certificates
Apple Fixes Safari Holes
Google Fixes Holes in Chrome Release
Firefox 36 Fixes Vulnerabilities

Among the major fixes included in Firefox 37 there are two (CVE-2015-0803 and CVE-2015-0804) touching on type confusion, both credited to security researcher Nils, which could lead to use-after-free errors that generate potentially exploitable crashes of the web browser.

Abhishek Arya of Google Chrome Security Team reported two memory corruption crashes (CVE-2015-0805 and CVE-2015-0806) when the browser rendered 2D graphics. According to the security advisory, the trouble lies in the Off Main Thread Compositing platform.

Another user-after-free error (CVE-2015-0813) could end up leveraged to gain access to the system came from Aki Helin, who discovered it while playing certain MP3 audio files with the Fluendo MP3 plugin for GStreamer on Linux.

The issue resides in failure of the plug-in to properly handle some MP3 files and its interaction with code in Firefox.

Last on the list of critical vulnerabilities are memory safety hazards. These hazards constantly end up detected and repaired in Firefox revisions and usually are the result of Mozilla developers.

Some of these issues could end up exploited to attain memory corruption and Mozilla believes a determined attacker could manage to create an exploit and run arbitrary code on the machine.

Whenever a rogue digital certificate ended up discovered, revoking it required Mozilla to update the web browser in order to integrate the changes for the certificate store used by Firefox.

With OneCRL, the developer can update the list of revoked certificates without pushing a new Firefox update, which causes the information to reach users with a delay and also involves costs from Mozilla.

Websites use digital certificates as a means of identification and offer users a secure connection to their servers. A certificate ends up issued by a Certificate Authority (CA), a trusted entity that verifies the legitimacy of the certificate owner. This way, a chain of trust ends up created on the web.

If a certificate falls in the wrong hands, it could impersonate the website it should belong to and deliver malicious content to users. In these cases, the certificates need to revoked in the shortest time possible.

“OneCRL helps speed up revocation checking by maintaining a centralized list of revoked certificates and pushing it out to browsers,” a Mozilla blog post said.



Leave a Reply

You must be logged in to post a comment.