With Firefox 50, Mozilla plugs many security holes

Firefox 50 is out, and it includes security fixes for 3 critical, 12 high, 10 moderate, and 2 low severity issues, as well as many usability improvements.

Two of the critical issues involve a bunch of memory safety bugs that have been fixed in both Firefox 50 and Firefox ESR 45.5.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla developers noted.

The third critical issue is heap-buffer-overflow that could lead to a potentially exploitable crash.

Among the high severity issues that were fixed are:

• One that could allow a malicious extension to install additional extensions without explicit user permission,
• One that could allow an attacker to perform a man-in-the-middle attack on the user’s connection to the update server and defeat the certificate pinning protection, allowing him to provide a malicious signed add-on instead of a valid update,
• One that could allow attackers to spoof the location bar in Firefox for Android, and
• Several that could lead to potentially exploitable crashes.

Firefox ESR 45.5 has also been released on Tuesday, and shares a number of the Firefox fixes.

The difference between the two products is that Firefox is for users who want to get the latest features, performance enhancements and technologies in their browsing experience, while Firefox ESR is meant for organizations that manage their client desktops, including schools, businesses and other instituitions that want to offer Firefox, but are not too worried about providing the above improvements as they are released.

Users are advised to update their installations as soon as possible. The next update is scheduled to be released on December 13, 2016.