Reg comments18

Mozilla slings Firefox patches at flaw found by GCHQ's infosec arm

Browser bods emit ten patches in total, some for critical or high severity holes

In version 46 of its popular Firefox web browser, Mozilla has patched 10 vulnerabilities, some rated either critical or high severity, that permitted remote code execution.

One of the patched high-severity flaws was burned reported by the Communications-Electronics Security Group (CESG), the information security limb of the UK's Government Communications Headquarters (GCHQ).

Mozilla says in an advisory that four critical memory safety bugs (CVE-2016-2804 to 2807) are now patched.

"Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," the security team says

"Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

The lone high severity bug was found by British security bods Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of Newcastle University.

The flaw hits Firefox's mobile app and offers a way to steal data. The flaw was discovered using "orientation data and motion sensors on a mobile device's browser accessible through JavaScript", according to the Mozilla crew.

"This allows an attacker to infer touch actions on the device through these sensors when orientation events are triggered in the browser, compromising user privacy and including potentially revealing entered PIN code data along with other user activities." ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017