Firefox 47, which Mozilla released on June 7, provides users of the open-source Web browser with a baker’s dozen security updates and a number of incremental feature improvements.
A core focus for Firefox 47’s feature improvements come in the form of video enablement, including support for Google’s VP9 video codec. Additionally, Firefox will now play YouTube video with HTML5 if a user does not have Flash installed. The HTML5 video support is further extended to enable playback of Digital Rights Management (DRM) protected video, thanks to the integration of Google’s Widevine technology.
With Firefox 47, Mozilla is now also providing users with more insight into browser performance and possible problems with slow pages and add-ons with the new “about:performance” option. The about:performance option shows users the performance of open tabs as well as add-ons and provides the ability to close or reload the tab, or to disable and uninstall an add-on.
Mozilla rated only two of the 13 security advisories as critical, including MSFA-2016-49, which details a pair (CVE-2016-2815 and CVE-2016-2818) of memory safety bugs.
“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla warns in its advisory.
The second critical advisory is for an HTML5 parser flaw identified as CVE-2016-2819. There was a buffer overflow issue with HTML5 code fragments that could have triggered a potentially exploitable crash.
Among the high-impact flaws that Firefox 47 patches is CVE-2016-2826, which could have enabled an attacker to abuse the Mozilla Windows updater to overwrite arbitrary files on a user’s system.
“A malicious local program could invoke the updater and then interfere with the extracted files, replacing them with its own,” Mozilla warns. “This vulnerability could be used for privilege escalation if these overwritten files were later invoked by other Windows components that had higher privileges.”
Also of note is an address bar spoofing flaw (CVE-2016-2822) that Mozilla rates as having a moderate impact. The flaw could have potentially enabled an attacker to spoof the contents of the address bar, tricking a user into landing on a malicious site.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.