Mozilla Updates Firefox 24 With 17 Security Advisories
The latest open-source Firefox browser release adds new user features and patches critical security vulnerabilities.Mozilla on Sept. 17 released its latest open-source Firefox browser update for both Android as well as desktop versions for Windows, Mac and Linux operating systems. The Firefox 24 release is light on new user-facing features and heavy on security fixes, providing 17 security advisories, seven of which Mozilla has rated "critical." Among the critical vulnerabilities that Mozilla is fixing in Firefox 24 are a number of memory safety related security issues. "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," the Mozilla Foundation Security Advisory (MFSA) 2013-76 states. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." There is also a use-after-free flaw with the "select" HTML element. A use-after-free memory error is one where authorized memory is able to be used by unauthorized elements after it is no longer in use. Mozilla noted in its security advisory that security researcher Scott Bell used Google's open-source Address Sanitizer tool in order to find the flaw. Google commonly uses Address Sanitizer itself to find use-after-free flaws in its own Chrome browser.
Memory corruption that could be triggered simply by scrolling a document is another critical flaw that Firefox 24 is fixing. Mozilla credits famed security researcher Nils for finding and reporting the flaw. Nils first gained media notoriety when as an unknown security researcher, he showed up at the 2009 Pwn2Own hacking challenge and was able to demonstrate previously unknown zero-day flaws in Internet Explorer, Firefox and Safari Web browsers.