모질라(Mozilla) 재단에서 제공하는 오픈 소스 기반 Mozilla Firefox 웹 브라우저가 새로운 기능 추가, 버그(Bug) 수정 및 24건의 보안 취약점 문제를 해결한 Mozilla Firefox 48.0 정식 버전을 업데이트 하였습니다.
- Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more.
- Roar for moar protection against harmful downloads! We've got your back
- Add-ons that have not been verified and signed by Mozilla will not load
- GNU/Linux fans: Get better Canvas performance with speedy Skia support. Try saying that three times fast
- WebRTC embetterments : Delay-agnostic AEC enabled, Full duplex for GNU/Linux enabled, ICE Restart & Update is supported, Cloning of MediaStream and MediaStreamTrack is now supported
- Searching for something already in your bookmarks or open tabs? We added super smart icons to let you know
- Windows folks: Tab (move buttons) and Shift+F10 (pop-up menus) now behave as they should in Firefox customization mode
- The media parser has been redeveloped using the Rust programming language
- Windows 7 systems without Platform Update can now use D3D11 WARP
이번 업데이트에서는 Mozilla Firefox 웹 브라우저를 이용한 파일 다운로드 시 악성 파일에 대한 보호 기능을 강화하였습니다.
보안 설정에서는 "위험하고 사기성있는 내용을 차단"하는 항목을 통해 위험한 다운로드 및 의도하지 않고 일반적이지 않은 소프트웨어에 대한 경고를 하도록 개선되었습니다.
대표적으로 다운로드된 파일이 위험하거나 경고가 필요한 경우에는 다운로드 아이콘 영역에 붉은색 느낌표가 표시됩니다.
다운로드 메뉴를 클릭할 경우 위험한 파일은 폴더 연결 아이콘이 표시되지 않으며 위험한 파일임을 쉽게 알 수 있도록 표시하고 있습니다.
그 외 세부적인 수정 사항에 대해서는 Mozilla Firefox 48.0 Release Note 내용을 참고하시기 바랍니다.
보안 취약점 관련 업데이트에서는 Critical 등급(3개), High 등급(7개), Moderate 등급(11개), Low 등급(2개)에 대한 총 23개의 보안 패치가 포함되어 있습니다.
■ Critical 등급
(1) MFSA 2016-62 : Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
- CVE-2016-2835 : Memory safety bugs fixed in Firefox 48
- CVE-2016-2836 : Memory safety bugs fixed in Firefox ESR 45.3 and Firefox 48
(2) MFSA 2016-72 : Use-after-free in DTLS during WebRTC session shutdown
- CVE-2016-5258 : WebRTC - Use After Free in socket thread
(3) MFSA 2016-73 : Use-after-free in service workers with nested sync events
- CVE-2016-5259 : Yet another Use After Free in CanonicalizeXPCOMParticipant()
■ High 등급
(1) MFSA 2016-63 : Favicon network connection can persist when page is closed
- CVE-2016-2830 : Favicon request doesn't timeout, or close when related window is closed
(2) MFSA 2016-64 : Buffer overflow rendering SVG with bidirectional content
- CVE-2016-2838 : Heap-buffer-overflow in nsBidi::BracketData::AddOpening
(3) MFSA 2016-67 : Stack underflow during 2D graphics rendering
- CVE-2016-5252 : stack-buffer-overflow in mozilla::gfx::BasePoint4d
(4) MFSA 2016-75 : Integer overflow in WebSockets during data buffering
- CVE-2016-5261 : Integer overflow and memory corruption in WebSocketChannel
(5) MFSA 2016-77 : Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
- CVE-2016-2837 : xMozilla Firefox ClearKeyDecryptor Heap Buffer Overflow Remote Code Execution Vulnerability
(6) MFSA 2016-78 : Type confusion in display transformation
- CVE-2016-5263 : Type confusion in nsDisplayList::HitTest
(7) MFSA 2016-79 : Use-after-free when applying SVG effects
- CVE-2016-5264 : heap-use-after-free in nsNodeUtils::NativeAnonymousChildListChange
■ Moderate 등급
(1) MFSA 2016-65 : Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
- CVE-2016-2839 : Crash in _cairo_surface_get_extents with FFMPEG 0.10
(2) MFSA 2016-68 : Out-of-bounds read during XML parsing in Expat library
- CVE-2016-0718 : Heap read out-of-bound and crash in expat 2.1.0
(3) MFSA 2016-69 : Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
- CVE-2016-5253 : Arbitrary file overwrite with updater and moz maintenance service
(4) MFSA 2016-70 : Use-after-free when using alt key and toplevel menus
- CVE-2016-5254 : Heap-use-after-free in nsXULPopupManager::KeyDown
(5) MFSA 2016-71 : Crash in incremental garbage collection in JavaScript
- CVE-2016-5255 : crash in js::PreliminaryObjectArray::sweep()
(6) MFSA 2016-74 : Form input type change from password to text can store plain text password in session restore file
- CVE-2016-5260 : Session Manager can sometimes store Firefox Accounts Password in plain text
(7) MFSA 2016-76 : Scripts on marquee tag can execute in sandboxed iframes
- CVE-2016-5262 : XSS out of iframe sandbox, iframe disabled javascript. marquee
(8) MFSA 2016-80 : Same-origin policy violation using local HTML file and saved shortcut file
- CVE-2016-5265 : Same origin policy bypass in local document/Universal xss
(9) MFSA 2016-81 : Information disclosure and local file manipulation through drag and drop
- CVE-2016-5266 : Outgoing dataTransfer items are not filtered
(10) MFSA 2016-82 : Addressbar spoofing with right-to-left characters on Firefox for Android
- CVE-2016-5267 : Firefox Mobile Address Bar Spoofing
(11) MFSA 2016-84 : Information disclosure through Resource Timing API during page navigation
- CVE-2016-5250 : Resource Timing API is storing resources sent by the previous page
■ Low 등급
(1) MFSA 2016-66 : Location bar spoofing via data URLs with malformed/invalid mediatypes
- CVE-2016-5251 : HTTP(S) URL spoof in location bar
(2) MFSA 2016-83 : Spoofing attack through text injection into internal error pages
- CVE-2016-5268 : bypass FireFox Secure Connection Failed prompt to whitelist any site (but doesn't work)
그러므로 Mozilla Firefox 웹 브라우저 사용자는 자동 업데이트(Firefox 메뉴 열기 → 도움말 메뉴 열기 → Firefox 정보) 기능을 이용하여 최신 버전으로 업데이트하시기 바랍니다.