With the release of Firefox 49, Mozilla have patched several serious as well as high rigorousness vulnerabilities recently, along with the certificate pinning problem that has been disclosed recently, as a result the users are exposed to man in the middle (MitM) attacks. Most of the vulnerabilities has been resolved with the released Mozilla Firefox ESR 45.4, along with numerous high severities as well as rated critical issues. Earlier Mozilla has decided to release Firefox 49 by 13th September, but it got delayed by a week as it detected a bug that was responsible for slowing the script message and it gets displayed on the desktop and android devices quite often.
The lists of critical flaw include a variety of memory safety applications such as CVE-2016-5257and CVE-2016-5256 that has been initiated by Mozilla developers as well as community members. And thus some of the weaknesses can also be subjugated in executing arbitrary code. It has been identified that ‘CVE-2016-5275’is related to global buffer overflow, when it is operating with the empty filters while canvas rendering and CVE-2016-5278 is associated with Heap buffer overflow in nsBMPEncoder::AddImageFrameencoding has been marked as critical.
The vulnerability in certificate pinning is also marked as high severity and can even affect the Tor Browser. This issue is generally caused due to some flaws while updating the Preloaded Public Key Pinning, and makes add-on updates in pinning ineffective, and this issue has been persisting after the launch of Firefox 48. In such cases the MitM attacker takes the advantage of such defect and obtains the certificate for addons.mozilla.org and then changes the legitimate add-on updates with the malicious versions. After that they can execute any arbitrary code on any specific system and that too without users approval. Though this illegal activity cannot be carried out easily, but experts believe that such act would be subjugated by the state-sponsored actors as well as criminal association. Researcher has estimated that in order to launch a mass attack against the Tor users, it would cost around $100,000.
Here are some of the lists of high sternness bugs patched by Mozilla are out-of-bounds read, heap-buffer overflow, use-after-free, bad cast along with other weaknesses that can even leak your personal details, crashing as well as execution of arbitrary code. Apart from these high severity and critical defect, Firefox 49 has fixed 2 moderate as well as 2 low severity problems. With the release of Firefox ESR 45.4 by Mozilla, it has resolves many vulnerabilities, it also includes numerous critical and high severity flaws.