Mozilla has released Firefox 42 and Firefox ESR 38 38.4, which include fixes for worrying security vulnerabilities in the web browser.
Two Mozilla engineers, Tyson Smith and David Keeler, uncovered two flaws (CVE-2015-7181 and CVE-2015-7182) in NSS, a toolkit used by Firefox to encrypt web traffic over SSL/TLS.
By exploiting "a use-after-poison and buffer overflow in the ASN.1 decoder," a malicious HTTPS website can potentially inject arbitrary evil code into the connecting browser and execute it, it appears. That seems a particularly neat way to install malware on PCs.
These programming blunders are fixed in NSS versions 220.127.116.11, 3.19.4, and 3.20.1, which are used in Firefox 42 and Firefox ESR 38 38.4.
Other applications that use the open-source toolkit for encrypting internet traffic must be rebuilt with a non-vulnerable version of the libraries, and pushed out to people to install.
Meanwhile, Google security engineer Ryan Sleevi found an integer overflow bug (CVE-2015-7183) in NSPR, which is a component of NSS. The code can be exploited to potentially execute arbitrary malicious code in the browser.
Mozilla has also squished three possible remote-code execution bugs (CVE-2015-7198, CVE-2015-7199 and CVE-2015-7200) in the ANGLE graphics library's handling of SVG files. The programming cockups were reported by security researcher Ronald Crane. "These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them," Team Mozilla notes.
A set of scary looking flaws (CVE-2015-4513 and CVE-2015-4514) deep within the browser engine have also been fixed. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Moz admitted.
The bug-squishing round also includes six fixes for vulnerabilities that could allow sensitive information to be collected without permission, and nine other security issues rated as "moderate" or "low" risks.
As well as these patches, Firefox 42 has a handful of new features such as "tracking protection" in private-browsing mode that stops websites from identifying and tracking you with analytics software as you surf across the web.
"When you browse the web, you can unknowingly share information about yourself with third parties that are separate from the site you're actually visiting, even in Private Browsing mode on any browser," wrote Firefox product vice president Nick Nguyen on Tuesday.
"Private Browsing with Tracking Protection in Firefox for Windows, Mac, Android, and Linux actively blocks content like ads, analytics trackers, and social share buttons that may record your behavior without your knowledge across sites."
Nguyen claims Chrome, Safari, Microsoft Edge and Internet Explorer allow websites to follow users as they browse from site to site, even in incognito mode. This is something that Firefox no longer allows – if tracking protection is enabled, of course.
The WebRTC and Login Manager components have also been updated and the browser tab view now includes an indicator icon and mute option for pages that automatically play audio. ®