[German]Mozilla surprisingly released an update on March 16, 2018, upgrading Firefox to version 59.0.1. The update fixes vulnerabilities classified as critical. In addition, Firefox ESR will also be updated to version 52.7.2 due to these vulnerabilities.
Advertising
The long shadows of the Pwn2Own contest
Last week, the Pwn2Own 2018 competition of the Zero Day Initiative has been held. During this contest, we've seen several browser hacks. The following video shows some impressions of the event.
(Source: YouTube)
There Richard Zhu revealed a security hole in Firefox, which allowed access to the Windows kernel in case of an integer overflow. Zhu got a nice pile of money (120,000 US $) and the title'Master of Pwn'.
Firefox vulnerabilities patched after hours
As a result, Mozilla's developer are forced to sit down immediately and develop an fix to mitigate these vulnerabilities. The Mozilla page with the release notes just contains a brief mention of 'various security fixes'. If you go into the details, a critical vulnerability has been fixed.
CVE-2018-5146: Out of bounds memory write in libvorbis
CVE-2018-5146 is described as follows within a security advisory.
Advertising
Out of bounds memory write while processing Vorbis audio data
CRITICAL
PRODUCT: Firefox, Firefox ESR
FIXED IN
- Firefox 59.0.1
- Firefox ESR 52.7.2
This is a vulnerability that can lead to a out of bounds memory write when processing Vorbis encoded audio data. This vulnerability was discovered by Richard Zhu via Trend from Micro's Zero Day Initiative. The vulnerability was found or published in a Pwn2Own contest.
CVE-2018-5147: Out of bounds memory write in libtremor
The second vulnerability CVE-2018-5147 also allows a out of bounds memory write in the library libtremor and was reported by Huzaifa Sidhpurwala. It is practically the same error as in CVE-2018-5146, but it is in the library libtremor. This library is used by Firefox in Android and on ARM platforms instead of libvorbis.
So make sure Firefox is updated to the current version. This update took place in m Firefox 59.0.0 portable automatically yesterday.
Tor browser also updated
Yesterday I wrote the article Tor Browser 7.5.1/7.5.2 released – and during writing, I recognized that version 7.5.2 was added shortly after Tor Browser 7.5.1 was released.
