울지않는벌새 : Security, Movie & Society

업데이트 : Mozilla Firefox 49.0

벌새::Security

모질라(Mozilla) 재단에서 제공하는 오픈 소스 기반 Mozilla Firefox 웹 브라우저가 새로운 기능 추가, 버그(Bug) 수정 및 18건의 보안 취약점 문제를 해결한 Mozilla Firefox 49.0 정식 버전을 업데이트 하였습니다.

 

 

  • Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. It's one more way Firefox is supporting Let's Encrypt and helping users transition to a more secure web.
  • Added features to Reader Mode that make it easier on the eyes and the ears
  1. Controls that allow users to adjust the width and line spacing of text
  2. Narrate, which reads the content of a page out loud
  • Improved video performance for users on systems that support SSSE3 without hardware acceleration
  • Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed
  • Enhancements for Mac users
  1. Improved performance on OS X systems without hardware acceleration
  2. Improved appearance of anti-aliased OS X fonts
  • Improvements in about:memory reports for tracking font memory usage
  • Improve performance on Windows systems without hardware acceleration

이번 업데이트에서는 Let's Encrypt 보안 캠페인 지원을 위해 Firefox 웹 브라우저에서 제공하는 Login Manager 기능에 변화가 있습니다.

 

그동안 Firefox Login Manager에 기억된 아이디(ID)와 비밀번호는 반드시 동일한 주소에서만 자동 입력이 이루어지도록 설정되어 있었지만, Firefox 49 버전부터는 HTTP 주소로 저장된 로그인 정보가 HTTPS 주소에서도 동일한 경우 자동 로그인이 가능하게 되었습니다.

 

그 외 세부적인 수정 사항에 대해서는 Mozilla Firefox 49.0 Release Note 내용을 참고하시기 바랍니다.

 

보안 취약점 관련 업데이트에서는 Critical 등급(4건), High 등급(10건), Moderate 등급(2건), Low 등급(2건)에 대한 보안 패치가 포함되어 있습니다.

 

Critical 등급

 

(1) CVE-2016-5275 : global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions

 

  • A buffer overflow when working with empty filters during canvas rendering

 

(2) CVE-2016-5278 : Heap-buffer-overflow in nsBMPEncoder::AddImageFrame

 

  • A potentially exploitable crash caused by a buffer overflow while encoding image frames to images

 

(3) CVE-2016-5256 : Memory safety bugs fixed in Firefox 49

 

  • Mozilla developers Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas, Seth Fowler, and Michael Smith reported memory safety bugs present in Firefox 48. Some of these bugs showed evidence of memory corruption under certain circumstances could potentially exploited to run arbitrary code.

 

(4) CVE-2016-5257 : Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4

 

  • Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

 

■ High 등급

 

(1) CVE-2016-5270 : Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString

 

  • An out-of-bounds write of a boolean value during text conversion with some unicode characters.

 

(2) CVE-2016-5272 : Bad cast in nsImageGeometryMixin

 

  • A bad cast when processing layout with input elements can result in a potentially exploitable crash.

 

(3) CVE-2016-5273 : crash in mozilla::a11y::HyperTextAccessible::GetChildOffset

 

  • A potentially exploitable crash in accessibility

 

(4) CVE-2016-5276 : Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList

 

  • A use-after-free vulnerability triggered by setting a aria-owns attribute

 

(5) CVE-2016-5274 : use-after-free in nsFrameManager::CaptureFrameState

 

  • A use-after-free issue in web animations during restyling.

 

(6) CVE-2016-5277 : Heap-use-after-free in nsRefreshDriver::Tick

 

  • A user-after-free vulnerability with web animations when destroying a timeline

 

(7) CVE-2016-5280 : Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap

 

  • Use-after-free vulnerability when changing text direction

 

(8) CVE-2016-5281 : use-after-free in DOMSVGLength

 

  • Use-after-free vulnerability when manipulating SVG format content through script

 

(9) CVE-2016-5283 : <iframe src> fragment timing attack can reveal cross-origin data

 

  • A timing attack vulnerability using iframes to potentially reveal private data using document resizes and link colors

 

(10) CVE-2016-5284 : Add-on update site certificate pin expiration

 

  • Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected.

 

Moderate 등급

 

(1) CVE-2016-5279 : Full local path of files is available to web pages after drag and drop

 

  • The full path to local files is available to scripts when local files are drag and dropped into Firefox

 

(2) CVE-2016-5282 : Don't allow content to request favicons from non-whitelisted schemes

 

  • Favicons can be loaded through non-whitelisted protocols, such as jar:

 

■ Low 등급

 

(1) CVE-2016-2827 : Out-of-bounds read in mozilla::net::IsValidReferrerPolicy

 

  • A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash.

 

(2) CVE-2016-5271 : Out-of-bounds read in PropertyProvider::GetSpacingInternal

 

  • An out-of-bounds read during the processing of text runs in some pages using display:contents.

 

그러므로 Mozilla Firefox 웹 브라우저 사용자는 자동 업데이트(Firefox 메뉴 열기 → 도움말 메뉴 열기 → Firefox 정보) 기능을 이용하여 최신 버전으로 업데이트하시기 바랍니다.