Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.
The buffer overflow bug, discovered by Ivan Fratric of Google Project Zero, occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.
Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”
We don’t know many specifics beyond that, but since this vulnerability was rated critical by Mozilla, that means it could have allowed an attacker to execute code without any user interaction beyond just normal use and browsing – all you’d have to do is visit the wrong website.
The fixed versions of Firefox became available on 6 June, so if you’ve run your browser lately the chances are its already patched.
To be sure though, check to see what version of the browser you are running — in Firefox on Windows, go to Help and select About Firefox, on a Mac, Firefox and select About Firefox.
You’ll see the version number of the browser and, hopefully, you’ll see a “Firefox is up to date” notification in the notification window that appears – if not, click the update button.