Mozilla issues patches for Firefox vulnerabilities

Generally speaking, Firefox is one of the more solid browsers out there. When it comes to security, Mozilla (the creator of Firefox) is usually quite competent in creating a logical balance between efficiency and protection. Even good products, as anyone in InfoSec can tell you, are susceptible to vulnerabilities that require patching. This is simply the nature of the security business, and it is this very issue that Mozilla recently addressed for Firefox.

On November 15, the company issued a notice informing the security community that vulnerabilities had been patched in Firefox 50 and Firefox ESR 45.5. The vulnerabilities total 29 in all, with many rated as "high" and two being rated as "critical" by researchers at Mozilla. The first critical vulnerability, CVE-2016-5290, involves memory safety bugs that "with enough effort... could be exploited to run arbitrary code" due to memory corruption.

The second critical vulnerability, CVE-2016-5296, is "a heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash." Cairo is responsible for 2D rendering in Firefox. In addition to the critical vulnerabilities like CVE-2016-5296, some of the high-risk vulnerabilities involved exploitable crashes. Others notably allowed for the possibility of malicious Multipurpose Internet Mail Extension (MIME) confusion attacks.

As Threatpost pointed out in its article about the Firefox patches, Mozilla has been taking other proactive measures to prevent this type of browser-sniffing that opens the user up to cross-site scripting. Such measures include blocking "stylesheets, images, or scripts if their MIME type doesn’t match the context in which files are loaded." Nevertheless the patches in November prove that, while this measure was a good preventative initiative, it is not an end to XSS via MIME confusion attacks.

It is recommended that anyone running Firefox install these patches ASAP, as you never know if you will be attacked through these vulnerabilities.

Photo credit: TheBrickPsycho

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

2 days ago

Container security rises to meet the challenges of container vulnerabilities

As container technology becomes ubiquitous, container security has become crucial. Here’s a look at some recent innovations in this growing…

2 days ago

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

3 days ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

3 days ago

Microsoft App-V as an application virtualization solution: Pros & cons

If your shop is considering using App-V as an application virtualization solution, read this article first and weigh the pros…

3 days ago

Ransomware threats: Cybercriminals take their wares to the next level

As companies and individuals harden their defenses against ransomware, hackers are creating new and more virulent ransomware threats.

4 days ago