Security Alert (A15-08-04): Multiple Vulnerabilities in Firefox
12 August 2015
Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by memory safety bugs in the browser engine, use-after-free error, integer overflows when handling MPEG4 video and buffer overflows in the Libvpx library used for WebM video. A remote attacker could entice a user to open a web page with specially crafted content to exploit the vulnerabilities.
Firefox prior to version 40
Firefox ESR 38.x prior to version 38.2 (Firefox ESR 31.x could also be affected but it has reached end-of-support)
Depending on the vulnerability exploited, a successful attack could lead to application crash, bypass of security restrictions, elevation of privilege and arbitrary code execution.
Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:
Firefox 40 for Windows, Macintosh and Linux http://www.mozilla.org/en-US/firefox/all.html
Firefox ESR 38.2 for Windows, Macintosh and Linux http://www.mozilla.org/en-US/firefox/organizations/all/
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
Users of Firefox ESR 31.8 should be reminded that the product has reached end-of-support on 11 Aug 2015 and there will not be any patches available. Users should consider upgrading to newer versions for protections.