09 Mar

Firefox vulnerabilities USN-2917-1

A security issue (Firefox vulnerabilities) affects these releases of Ubuntu (also Lubuntu) and its derivatives (versions 15.10, 14.04 LTS and 12.04 LTS), that could be made to crash or run programs as your login if it opened a malicious website.

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1950)

34 vulnerabilities were discovered and fixed using 45.0+build2. But you don’t have to worry, as upgrades will come in the next hours. More information (and downloads) here.

07 Aug

Firefox exploit found in the wild

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

Head to the Facebook Official Group the get more info about the updates.