울지않는벌새 : Security, Movie & Society

업데이트 : Mozilla Firefox 43.0

벌새::Security

모질라(Mozilla) 재단에서 제공하는 오픈 소스 기반 Mozilla Firefox 웹 브라우저가 새로운 기능 추가, 버그(Bug) 수정 및 21건의 보안 취약점 문제를 해결한 Mozilla Firefox 43.0 정식 버전을 업데이트 하였습니다.

  • Private Browsing with Tracking Protection offers choice of blocking additional trackers
  • Improved API support for m4v video playback
  • Firefox 64-bit for Windows is now available via the Firefox download page
  • Users can choose search suggestions from the Awesome Bar
  • On-screen keyboard displayed on selecting input field on devices running Windows 8 or greater
  • Firefox Health Report has switched to use the same data collection mechanism as telemetry

이번 Mozilla Firefox 43.0 버전에서는 사생활 보호 모드(Private Browsing with Tracking Protection) 기능이 추가적인 추적 차단을 시도할 경우 사용자에게 질의하도록 기능이 수정되었습니다.

또한 공식적으로 Windows, Linux 운영 체제용 Mozilla Firefox 64비트 설치 파일을 제공하기 시작하였습니다.

  • 32비트용 : Mozilla Firefox 43.0 (x86 ko) + Mozilla Maintenance Service
  • 64비트용 : Mozilla Firefox 43.0 (x64 ko) + Mozilla Maintenance Service

이를 통해 32비트 환경에서는 "C:\Program Files (x86)\Mozilla Firefox + C:\Program Files (x86)\Mozilla Maintenance Service" 폴더에 설치가 이루어지며, 64비트 환경에서는 "C:\Program Files\Mozilla Firefox + C:\Program Files (x86)\Mozilla Maintenance Service" 폴더에 프로그램 설치가 이루어집니다.

 

그러므로 64비트 환경에서는 제어판에 등록된 32비트용 Mozilla Firefox 웹 브라우저를 삭제한 후 64비트 설치 파일을 다운로드하여 직접 설치하시기 바랍니다.

 

그 외 자세한 수정 사항에 대해서는 Mozilla Firefox 43.0 Release Note 정보를 참고하시기 바랍니다.

 

보안 취약점 관련 업데이트에서는 Critical 등급(4개), High 등급(7개), Moderate 등급(3개), Low 등급(2개)에 대한 16개의 보안 패치가 포함되어 있습니다.

 

Critical 등급

 

(1) MFSA 2015-134 : Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

  • CVE-2015-7201 : Memory safety bugs fixed in Firefox ESR 38.5 and Firefox 43
  • CVE-2015-7202 : Memory safety bugs fixed in Firefox 43

(2) MFSA 2015-138 : Use-after-free in WebRTC when datachannel is used after being destroyed

  • CVE-2015-7210 : UAF due to DataChannelConnection not Destroy()ed before deletion

(3) MFSA 2015-148 : Privilege escalation vulnerabilities in WebExtension APIs

  • CVE-2015-7223 : Privilege escalation vulnerabilities in WebExtension APIs

(4) MFSA 2015-149 : Cross-site reading attack through data and view-source URIs

  • CVE-2015-7214 : cross-origin restriction bypass using data: and view-source: uri scheme

■ High 등급

 

(1) MFSA 2015-135 : Crash with JavaScript variable assignment with unboxed objects

  • CVE-2015-7204 : Simple var assignments can trigger "can't convert undefined to object" exception

(2) MFSA 2015-136 : Same-origin policy violation using perfomance.getEntries and history navigation

  • CVE-2015-7207 : performance.getEntries() shows x-domain URLs after a redirect when loading from cache
  • Cached redirects + History traversal reveal cross-origin URLs

(3) MFSA 2015-139 : Integer overflow allocating extremely large textures

  • CVE-2015-7212 : Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface

(4) MFSA 2015-140 : Cross-origin information leak through web workers error events

  • CVE-2015-7215 : Cross-origin information disclosure with error message of Web Workers
  • Throw NetworkError for cross-origin importScripts() exceptions

(5) MFSA 2015-145 : Underflow through code inspection

  • CVE-2015-7205 : Underflow in RTPReceiverVideo::ParseRtpPacket causes memory-safety bug and information leak

(6) MFSA 2015-146 : Integer overflow in MP4 playback in 64-bit versions

  • CVE-2015-7213 : Overflow in MPEG4Extractor::readMetaData causes memory-safety bug

(7) MFSA 2015-147 : Integer underflow and buffer overflow processing MP4 metadata in libstagefright

  • CVE-2015-7222 : potential underflow in 'covr', unchecked allocation and copy in Metadata::setData
  • Fix integer underflow in covr MPEG4 processing

■ Moderate 등급

 

(1) MFSA 2015-137 : Firefox allows for control characters to be set in cookies

  • CVE-2015-7208 : allowing vertical tab in cookies leads to cookie injection on some servers

(2) MFSA 2015-143 : Linux file chooser crashes on malformed images due to flaws in Jasper library

  • CVE-2015-7216 : Firefox in Linux is using Jasper which is unmaintained and vulnerable
  • CVE-2015-7217 : Heap overflow and DoS with TGA files in gdk-pixbuf affecting Firefox

(3) MFSA 2015-144 : Buffer overflows found through code inspection

  • CVE-2015-7203 : Buffer overflow on OOM in DirectWriteFontInfo::LoadFontFamilyData
  • CVE-2015-7220 : Overflow in XDRBuffer::grow can cause memory-safety bug
  • CVE-2015-7221 : Overflow in nsDeque::GrowCapacity can cause memory-safety bug

■ Low 등급

 

(1) MFSA 2015-141 : Hash in data URI is incorrectly parsed

  • CVE-2015-7211 : Partial URL spoofing using the data URI scheme

(2) MFSA 2015-142 : DOS due to malformed frames in HTTP/2

  • CVE-2015-7218 : Firefox HTTP2 Malformed Header Frame DoS
  • CVE-2015-7219 : Firefox HTTP2 Malformed PushPromise Underflow DoS

그러므로 Mozilla Firefox 웹 브라우저 사용자는 자동 업데이트(Firefox 메뉴 열기 → 도움말 메뉴 열기 → Firefox 정보) 기능을 이용하여 최신 버전으로 업데이트한 후 웹 브라우저를 이용하시기 바랍니다.