Mozilla's Firefox update fixes three critical holes

Mozilla's Maintenance Service's vulnerability to privilege escalation and three critical holes in the browser have been closed with Mozilla's release of Firefox 21. The flaws have also been fixed in the ESR release of Firefox 17.0.6 and, although only one is exploitable on the Mozilla email client, Thunderbird 17.0.6 and its ESR release. Users are advised to upgrade as soon as possible.

Although only rated as high severity, two of the flaws centre around the Mozilla Maintenance Service. One is a new local privilege escalation hole (MFSA2013-44) which would allow an attacker with access to the local filesystem to get system privileges through the Maintenance Service; according to Mozilla, this flaw is not exploitable from the web. The other is a failure to update registry entries when updating (MFSA2013-45), which left the browser exposed to previous privilege escalation holes in the Maintenance Service where Firefox version 12 was previously installed.

Rated as critical, MFSA2013-48 is a collection of six out-of-bound, invalid write, or heap use-after-free memory corruption problems which were discovered by a member of the Google Chrome Security team. Some of the problems were potentially exploitable and allowed for remote code execution. Also rated as critical, but not exploitable in Thunderbird because scripting is disabled, are MFSA2013-46 (a use-after-free after resizing a playing video) and MFSA2013-41 (another collection of memory safety issues).

There are also fixes rated with a high severity for DOM SVG Zoom events (MFSA2013-47) and an XSS-related access vulnerability (MFSA2013-42). Finally, there was moderate-rated problem where information about paths could be leaked through the <input> control (MFSA2013-43). Again, most of these issues affect Thunderbird but some may not be exploitable because of scripting being disabled.

Updates to Firefox 21 and Thunderbird 17.0.6 should be delivered through the automatic update system in each application; if users have disabled updates, the new versions can be obtained from the Firefox and Thunderbird download pages. Firefox 17.0.6 ESR and Thunderbird 17.0.6 ESR can also be downloaded, though users are reminded that these versions are designed for larger organisations.

(djwm)