Description:

Mozilla has published security advisories to address multiple vulnerabilities found in Firefox. These vulnerabilities are caused by a flaw in Reader mode on Firefox for Android to bypass restrictions and load privileged content, and a flaw in the HTTP Alternative Service implementation to bypass SSL certificate verification to launch man-in-the-middle attacks. A remote attacker could entice a user to open a web page in a specially configured server or with specially crafted content to exploit the vulnerabilities.

Affected Systems:

• Firefox prior to version 37.0.1

Impact:

Depending on the vulnerability exploited, a successful attack could lead to website spoofing, bypass of security restrictions and arbitrary code execution.

Recommendation:

Mozilla has released new versions of the products to address the issues and they can be downloaded at the following URLs:

• Firefox 37.0.1 for Windows, Macintosh and Linux
  http://www.mozilla.org/en-US/firefox/all.html
  
  
• Firefox 37.0.1 for Android
  http://play.google.com/store/apps/details?id=org.mozilla.firefox
  
  

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/
https://www.mozilla.org/en-US/firefox/37.0.1/releasenotes/
https://www.us-cert.gov/ncas/current-activity/2015/04/06/Mozilla-Releases-Security-Update-Firefox
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0799