GovCERT.HK - Security Alert (A15-08-08): Multiple Vulnerabilities in Firefox

Description:

Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by use-after-free error or add-on notification bypass through "data:" URL. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.

Affected Systems:

Firefox prior to version 40.0.3
Firefox ESR 38.x prior to version 38.2.1
(Firefox ESR 31.x could also be affected but it has reached end-of-support)

Impact:

Depending on the vulnerability exploited, a successful attack could lead to application crash, bypass of security restrictions or arbitrary code execution on an affected system.

Recommendation:

Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:

Firefox 40.0.3 for Windows, Macintosh and Linux
http://www.mozilla.org/en-US/firefox/all.html
Firefox ESR 38.2.1 for Windows, Macintosh and Linux
http://www.mozilla.org/en-US/firefox/organizations/all/

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

Users of Firefox ESR 31.8 should be reminded that the product has reached end-of-support on 11 Aug 2015 and there will not be any patches available. Users should consider upgrading to newer versions for protections.

More Information:

https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/
https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
https://www.hkcert.org/my_url/en/alert/15082801
https://www.us-cert.gov/ncas/current-activity/2015/08/27/Mozilla-Releases-Security-Updates-Firefox-and-Firefox-ESR
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4497 (to CVE-2015-4498)

Tag: Firefox , Mozilla