This article is more than 1 year old
It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs
OG open-source darling gets security check-up
Mozilla's Firefox has been patched to address more than 30 CVE-listed security vulnerabilities.
The Firefox 58 update includes fixes for critical memory corruption bugs (under the blanket CVE-2018-5089 and CVE-2018-5090 labels) that could be exploited by dodgy webpages to execute malicious code within the browser – in other words, hijack the application and potentially the whole computer.
Ten of the 32 CVE-listed bugs fixed in the update patch up use-after-free cockups, which can be exploited by bad websites to either crash the software or be used as a stepping stone to malicious code execution and malware installation.
Among the most serious of the patched flaws was CVE-2018-5091, a use-after-free bug present in the DTMF timers used for WebRTC connections. Next, the fixes for CVE-2018-5093 and CVE-2018-5094 correct buffer overflow blunders in WebAssembly, while CVE-2018-5095 addresses a buffer overflow in the Skia graphics library.
A successful exploit of CVE-2018-5105 in WebExtensions would allow a website to save files to disk and launch them without any user notification, while CVE-2018-5107 could allow a webpage to abuse the print function to access some local files.
Other patched bugs include CVE-2018-5109, a flaw that allows pages to spoof the origin of an audio capture request, and CVE-2018-5117, a flaw in the display of address information that could allow for URL spoofing.
The ESR 52.6 update, meanwhile, contains 11 of the Firefox 58 updates, including the critical-rated memory corruption bug (CVE-2018-5089) and WebRTC use-after-free (CVE-2018-5091) vulnerability.
Firefox 58 also builds on last Fall's release of Firefox 57. Considered the biggest update to the browser in years, the Firefox 57 release introduced Quantum, a rewritten browser engine that was intended to finally help Firefox compete with the likes of Google's Chrome and Microsoft's Edge browsers. ®