Mozilla patches Firefox flaw discovered by GCHQ's information security arm

Mozilla has fixed a security flaw having high vulnerability impact on its Firefox web browser. The flaw was first discovered by the Communications-Electronics Security Group (CESG), the information security arm of the UK Government Communications Headquarters (GCHQ).

In Firefox version 46 that was released on 26 April across desktop and Android devices, Mozilla patched as many as 10 vulnerabilities, of which some are rated either critical or of high severity.

According to Mozilla's security advisories, a critical vulnerability can be used by an attacker to run arbitrary code and install software, requiring no user permission except normal browsing. A vulnerability of high impact can be used to get access to sensitive data from the websites in windows or inject code into the websites.

Mozilla has confirmed that it has fixed four of the critical memory safety bugs. The development was spotted by the Register. "Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla noted, adding: "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

The one that was reported by the GCHQ is a vulnerability that could be used to "overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry". The flaw, which could lead to arbitrary code execution by hackers, would require the user to keep the malicious page open during the time of the attack.

In addition, one of the high severity bug was first spotted by security researcher Maryam Mehrnezhad of UK Newcastle University. The flaw, which was found in the Firefox version for Android, could allow an attacker to perform malicious activities on a device while compromising on user's privacy and revealing the PIN code data along with other user activities.