모질라(Mozilla) 재단에서 제공하는 오픈 소스 기반 Mozilla Firefox 웹 브라우저가 새로운 기능 추가, 버그(Bug) 수정 및 27건의 보안 취약점 문제를 해결한 Mozilla Firefox 50.0 정식 버전을 업데이트 하였습니다.
- Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac.
- Improved performance for SDK extensions or extensions using the SDK module loader.
- Added download protection for a large number of executable file types on Windows, Mac and Linux.
- Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer.
- Added Guarani (gn) locale.
- Added option to Find in page that allows users to limit search to whole words only.
- Updates to keyboard shortcuts.
- Set a preference to have Ctrl+Tab cycle through tabs in recently used order.
- View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
이번 정기 업데이트에서는 많은 수의 실행 파일에 대한 다운로드 보호 기능이 추가되었으며, 그 외 세부적인 수정 사항에 대해서는 Mozilla Firefox 50.0 Release Note 내용을 참고하시기 바랍니다.
보안 취약점 관련 업데이트에서는 Critical 등급(3건), High 등급(12건), Moderate 등급(10건), Low 등급(2건)에 대한 보안 패치가 포함되어 있습니다.
■ Critical 등급
(1) CVE-2016-5289 : Memory safety bugs fixed in Firefox 50
Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
(2) CVE-2016-5290 : Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
(3) CVE-2016-5296 : Heap-buffer-overflow WRITE in rasterize_edges_1
A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash.
■ High 등급
(1) CVE-2016-5292 : URL parsing causes crash
During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash.
(2) CVE-2016-5293 : Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access.
단, 해당 취약점은 Windows 운영 체제에서만 해당됩니다.
(3) CVE-2016-5294 : Arbitrary target directory for result files of update process
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access.
단, 해당 취약점은 Windows 운영 체제에서만 해당됩니다.
(4) CVE-2016-5297 : Incorrect argument length checking in JavaScript
An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues.
(5) CVE-2016-9064 : Add-ons update must verify IDs match between current and new versions
Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.
(6) CVE-2016-9065 : Firefox for Android location bar spoofing using fullscreen
The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification.
단, 해당 취약점은 Android 모바일 운영 체제용 Firefox 웹 브라우저에서만 해당됩니다.
(7) CVE-2016-9066 : Integer overflow leading to a buffer overflow in nsScriptLoadHandler
A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.
(8) CVE-2016-9067 : heap-use-after-free in nsINode::ReplaceOrInsertBefore
Two use-after-free errors during DOM operations resulting in potentially exploitable crashes.
(9) CVE-2016-9068 : heap-use-after-free in nsRefreshDriver
A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash.
(10) CVE-2016-9072 : 64-bit NPAPI sandbox isn't enabled on fresh profile
When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default.
단, 해당 취약점은 Windows x64 비트 운영 체제 환경에서만 해당됩니다.
(11) CVE-2016-9075 : WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission.
(12) CVE-2016-9077 : Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations.
■ Moderate 등급
(1) CVE-2016-5291 : Same-origin policy violation using local HTML file and saved shortcut file
A same-origin policy bypass with local shortcut files to load arbitrary local content from disk.
(2) CVE-2016-5295 : Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44.
단, 해당 취약점은 Windows 운영 체제에서만 해당됩니다.
(3) CVE-2016-5298 : SSL indicator can mislead the user about the real URL visited
A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded.
단, 해당 취약점은 Android 모바일 운영 체제용 Firefox 웹 브라우저에서만 해당됩니다.
(4) CVE-2016-5299 : Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only.
단, 해당 취약점은 Android 모바일 운영 체제용 Firefox 웹 브라우저에서만 해당됩니다.
(5) CVE-2016-9061 : API key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only.
단, 해당 취약점은 Android 모바일 운영 체제용 Firefox 웹 브라우저에서만 해당됩니다.
(6) CVE-2016-9062 : Private browsing browser traces (Android) in browser.db and wal file
Private browsing mode leaves metadata information, such as URLs, for sites visited in browser.db and browser.db-wal files within the Firefox profile after the mode is exited.
단, 해당 취약점은 Android 모바일 운영 체제용 Firefox 웹 브라우저에서만 해당됩니다.
(7) CVE-2016-9070 : Sidebar bookmark can have reference to chrome window
A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections.
(8) CVE-2016-9073 : windows.create schema doesn't specify "format": "relativeUrl"
WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.
(9) CVE-2016-9074 : Insufficient timing side-channel resistance in divSpoiler
An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1.
(10) CVE-2016-9076 : select dropdown menu can be used for URL bar spoofing on e10s
An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function.
■ Low 등급
(1) CVE-2016-9063 : Possible integer overflow to fix inside XML_Parse in Expat
An integer overflow during the parsing of XML using the Expat library.
(2) CVE-2016-9071 : Probe browser history via HSTS/301 redirect + CSP
Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history.
그러므로 Mozilla Firefox 웹 브라우저 사용자는 자동 업데이트(Firefox 메뉴 열기 → 도움말 메뉴 열기 → Firefox 정보) 기능을 이용하여 최신 버전으로 업데이트하시기 바랍니다.