Firefox fixes critical buffer overflow | Tech News

Earlier this month Mozilla announced a advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.

The buffer overflow bug, discovered by Ivan Fratric of Google Zero, occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.

Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”

We don’t know many specifics beyond that, but since this vulnerability was rated critical by Mozilla, that means it could have allowed an attacker to execute code without any user interaction beyond just normal use and browsing – all you’d have to do is visit the wrong website.