Mozilla released Firefox 46 last week, patching 10 vulnerabilities, one which was rated critical.
Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser.
These four, CVE-2016-2804, CVE-2016-2805, CVE-2016-2806 and CVE-2016-2807, are memory usage safety issues in the browser’s Gecko engine, also deployed with the company’s other products such as Thunderbird.
The issues caused the browser to crash in an insecure manner.
Fixed in Firefox 46:
- 2016-48 Firefox Health Reports could accept events from untrusted domains
- 2016-47 Write to invalid HashMap entry through JavaScript.watch()
- 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
- 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
- 2016-44 Buffer overflow in libstagefright with CENC offsets
- 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
- 2016-42 Use-after-free and buffer overflow in Service Workers
- 2016-41 Content provider permission bypass allows malicious application to access data
- 2016-40 Privilege escalation through file deletion by Maintenance Service updater
- 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Update to Firefox 46 browser now.
Mozilla Firefox is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. Firefox is available for Windows, OS X and Linux operating systems, with its mobile versions available for Android, and Firefox OS.
As of January 2016, Firefox has between 9% and 16% of worldwide usage as a “desktop” browser, making it the second most popular web browser after Google Chrome.