Published on: 08 April 2015
Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by a flaw in Reader mode on Firefox for Android to bypass restrictions and load privileged content, and a flaw in the HTTP Alternative Service implementation to bypass SSL certificate verification to launch man-in-the-middle attacks. A remote attacker could entice a user to open a web page in a specially configured server or with specially crafted content to exploit the vulnerabilities.
Depending on the vulnerability exploited, a successful attack could lead to website spoofing, bypass of security restrictions and arbitrary code execution.
Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/
https://www.mozilla.org/en-US/firefox/37.0.1/releasenotes/
https://www.us-cert.gov/ncas/current-activity/2015/04/06/Mozilla-Releases-Security-Update-Firefox
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0799