Firefox web browser updated to version 40.0.3 to address serious vulnerabilities.
One issue, a use-after-free triggered when a canvas element ends up resized, rated at the critical level. An attacker can exploit the vulnerability by setting up a malicious webpage that causes Firefox to crash. The weakness can potentially end up exploited to execute arbitrary code with the privileges of the attacked Firefox user.
“[The vulnerability] occurs when a resize event is triggered in concert with style changes but the canvas references have been recreated in the meantime, destroying the originally referenced context,” Mozilla wrote in its advisory.
Mozilla community member Jean-Max Reymond discovered the vulnerability, and later it ended up reported by Georgian researcher Ucha Gobejishvili via HP’s Zero Day Initiative.
The second flaw, rated high-severity, is an add-on notification bypass through data URLs.
Firefox’s design does not display warning prompts when a user enters a URL that points to an add-on directly in the browser’s address bar. The normal install permission prompt ends up bypassed because Mozilla considers this a direct user action.
However, researcher Bas Venis discovered an attacker could manipulate a data: URL on a loaded page to simulate this direct user input and bypass the installation prompt. An attacker can also make the installation prompt appear on top of a different site by triggering a page navigation right after the add-on installation initiated.
An attacker could take advantage of this vulnerability to get users to install a rogue add-on by tricking them into thinking the program is from a trusted source.
Ubuntu already released updated packages to address the flaws, and Red Hat is working on releasing packages that fix the issues.