Mozilla Firefox 31 Fixes three critical vulnerabilities

Mozilla Firefox logoOn July 22, Mozilla officially released the stable version of Firefox 31 for all supported platforms, integrating 11 security fixes, three of them being marked as critical.

One of the major vulnerabilities corrected would allow exploitation of a WebGL crash with Cesium JavaScript library. Details about this glitch are not available at the moment, but Mozilla notes that it cannot be leveraged through email in the Thunderbird client because scripting is disabled.

Another flaw refers to a use-after-free vulnerability when handling DirectWrite font. Exploiting it would be possible on Windows platform only, OS X and Linux remaining unaffected.

The potential risk would occur when rendering MathML content with certain fonts, an error in handling font resources and tables causing DirectWrite to crash; the result would be a use-after-free of a DirectWrite font-face object an attacker might be able to exploit.

Last on the list of critical fixes are multiple memory safety hazards that affected version 30 of the web browser. According to Mozilla, memory corruption would be evident in specific scenarios and a motivated attacker might find a way to take advantage and run arbitrary code.

Additional security vulnerabilities repaired by Mozilla in the latest revision of Firefox refer mostly to use-after-free flaws identified in Web Audio, with the FireOnStateChange event and when manipulating certificates in the trusted cache.

Security improvements do not stop at this, though, as the company announced that Firefox 31 has been added a protection mechanism against malicious downloads. The feature relies on the Safe Browsing API from Google and leverages application reputation information to detect malware in file downloads.

Mozilla Firefox 31

The mechanism consists in verifying the metadata, such as download URL, SHA-256 hash, details about the certificate, belonging to the item requested by the user, and comparing it to a given block list.

The verification is carried out both based on a local list of files as well as a remote one. If a match is found, the file is not saved to disk.

Alternatively, when files are signed, they are checked against a given whitelist, the binary is marked as trusted, and the remote check is no longer performed.

A new SSL/TLS certificate verification is now present in Firefox 31 and uses the more robust and easier to maintain “mozilla::pkix” library.

This should not be something noticeable by the regular user, but compatibility issues may arise for websites that do not use a certificate issued by an authority accepted in the Mozilla CA Program. A more comprehensive overview is available in an April post from Mozilla.

Source: Softpedia

Tags: browsers, Firefox, Mozilla

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

A mobile hotspot in Australia will be capable of hitting gigabit speeds on the go
A new game could be in the works as Blizzard appears to have been hiring for a Diablo-related project
Nokia CEO Rajeev Suri will speak at MWC 2017
However what if you could go way, way back?
The Helio P15 packs an octa-core Cortex-A53 processor clocked at 2.2GHz
Samsung claims up to 27-percent higher performance or 40-percent lower power
Preliminary data for October shows another Windows 10 boom
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
HP Slate 7 is a 7-inch Android 4 Tablet PC with good sound
A cost-effective, 7-inch tablet PC from a renowned manufacturer
October 25, 2013 / 4

News Archive



Do you use microSD card with your phone?
or leave your own version in comments