This week, the Mozilla Foundation released Firefox 25 for Mac OS X and other operating systems with patches for 10 flaws—of these, 5 are "critical." Mozilla identifies critical-impacting flaws as those that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. Therefore, we recommend all Firefox users apply the updates as soon as possible.
Four of the critical vulnerabilities could lead to a potentially exploitable crash, and the other is a memory safety bug, identified as MFSA 2013-93, which “showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” according to Mozilla's security advisory.
Following is a list of the security issues resolved in this update:
- MFSA 2013-102: Use-after-free in HTML document templates
- MFSA 2013-101: Memory corruption in workers
- MFSA 2013-100: Miscellaneous use-after-free issues found through ASAN fuzzing
- MFSA 2013-99: Security bypass of PDF.js checks using iframes
- MFSA 2013-98: Use-after-free when updating offline cache
- MFSA 2013-97: Writing to cycle collected object during image decoding
- MFSA 2013-95: Access violation with XSLT and uninitialized data
- MFSA 2013-94: Spoofing addressbar though SELECT element
- MFSA 2013-93: Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
To get the latest version, you can update Firefox on your Mac by using the browser’s internal updater (go to Firefox > About Firefox > Check for Updates). Or you can head over to Mozilla.org to download Firefox 25 for Mac.