Security updates released this week by Mozilla include security fixes for numerous vulnerabilities in Firefox, Firefox ESR, and Thunderbird. These include three critical security updates for vulnerabilities that a remote attacker could exploit to obtain sensitive information or execute arbitrary code on the user’s system.
Updates available include:
- Firefox 36
- Firefox ESR 31.5
- Thunderbird 31.5
There are 3 critical fixes:
Firefox 36: Fixes a buffer overflow in the libstagefright library during video playback where invalid MP4 video files could result in allocation of a buffer that was too small for the content, that could result in an potentially exploitable crash.
Fixed in Firefox 36, Firefox ESR 31.5 and Thunderbird 31.5: Fixes a use-after-free vulnerability when running specific web content with IndexedDB to create an index, potentially resulting in an exploitable crash.
Fixed in Firefox 36, Firefox ESR 31.5 and Thunderbird 31.5: Several memory safety bugs are fixed in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption that could be exploited to run arbitrary code.
Other high severity issues addressed in these updates include:
- Ability to use autocomplete to obtain user information from readable files stored in known local locations.
- Potential for attackers to use Firefox to execute malware through its update facility
- Ability for scripts to access browser memory using malicious MP3s.