Reading Time: 2 minutes

The Mozilla Foundation announced this week the release of security updates that address critical a high impact vulnerabilities in Firefox, Firefox ESR, Thunderbird, and Netscape Portable Runtime. These vulnerabilities may allow attackers to execute arbitrary code, launch denial of service attacks and conduct clickjacking attacks.

The following updates are available from Mozilla:

Firefox 30

This is the current release of Mozilla’s flagship web browser.

Fixed in Firefox 30:
MFSA 2014-54 Buffer overflow in Gamepad API (High)
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler (Critical)
MFSA 2014-52 Use-after-free with SMIL Animation Controller (Critical)
MFSA 2014-51 Use-after-free in Event Listener Manager (Critical)
MFSA 2014-50 Clickjacking through cursor invisibility after Flash interaction (High)
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer (Critical)
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) (Critical)

Firefox ESR 24.6:

Mozilla offers an Extended Support Release (ESR) based on an official release of Firefox for desktop for use by organizations including schools, universities, businesses and others who need extended support for mass deployments.

Fixed in Firefox ESR 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller (Critical)
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer (Critical)
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)(Critical)

Thunderbird 24.6

The is Mozilla’s popular email client.

Fixed in Thunderbird 24.6:
MFSA 2014-52 Use-after-free with SMIL Animation Controller (Critical)
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer (Critical)
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) (Critical)

Netscape Portable Runtime 4.10.6

NSPR provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic memory management (malloc and free) and shared library linking.

Fixed in NSPR 4.10.6
NSPR version 4.10.6. fixes an out of bounds write issue, reported by Google Chrome Security, researcher that can lead to a exploitable crash or code execution.

START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE