Mozilla released Vulnerability-related.PatchVulnerability nine fixes in its Wednesday launch of Firefox 62 for Windows , Mac and Android – including one for a critical glitch that could enable attackers to run arbitrary code . Overall , the latest version of the Firefox browser included Vulnerability-related.PatchVulnerability fixes for the critical issue , three high-severity flaws , two moderate problems and three low-severity vulnerabilities . Topping the list is a memory safety bug ( CVE-2018-12376 ) , discovered Vulnerability-related.DiscoverVulnerability by a number of Mozilla developers and community members . A critical impact bug means the vulnerability can be used to run attacker code and install software , requiring no user interaction beyond normal browsing , according to Mozilla . The memory safety problem , which exists in Vulnerability-related.DiscoverVulnerability Firefox 61 and Firefox ESR 60 , meets these criteria , researchers said Vulnerability-related.DiscoverVulnerability . Mozilla didn ’ t release further details , but it did assign one CVE Vulnerability-related.DiscoverVulnerability to represent multiple similar issues . In addition to the memory safety bug ( s ) , Mozilla also fixed Vulnerability-related.PatchVulnerability three high-severity vulnerabilities in its latest update . These include a use-after-free glitch in refresh driver timers ( CVE-2018-12377 ) , which power browser-page refreshes . Another high-severity bug ( CVE-2018-12378 ) is a use-after-free vulnerability that occurs Vulnerability-related.DiscoverVulnerability when an IndexedDB index ( a low-level API for client-side storage of significant amounts of structured data ) is deleted while still in use by JavaScript code providing payload values . “ This results in a potentially exploitable crash , ” the advisory said . Mozilla developers and community members also found Vulnerability-related.DiscoverVulnerability a memory-safety bug ( CVE-2018-12375 ) in Firefox 61 , which showed evidence of memory corruption and could be exploited Vulnerability-related.DiscoverVulnerability to run arbitrary code , according to the advisory . The moderate and low-severity fixes that were deployed Vulnerability-related.PatchVulnerability in Firefox 62 include patches for an out-of-bounds write flaw ( triggered when the Mozilla Updater opens a MAR format file that contains a very long item filename ) ; and a proxy bypass glitch in the browser ’ s proxy settings . Firefox 62 for desktop is available Vulnerability-related.PatchVulnerability for download on Mozilla ’ s website .

UPDATE At DEFCON 22 in 2014 , researchers demonstrated hacks against the Samsung Smartcam that allowed an attacker to remotely take over the device . Samsung ’ s reaction at the time was to remove the web interface enabling the attack rather than patch the code in question . The Exploitee.rs , formerly the GTVHacker group , said users weren ’ t pleased with the response and in turn , decided to take another crack at analyzing Vulnerability-related.DiscoverVulnerability the device for vulnerabilities . On Saturday , the group publicly disclosed Vulnerability-related.DiscoverVulnerability a remote code execution bug it found Vulnerability-related.DiscoverVulnerability in the SNH-1011 Smartcam , and cautioned that it likely exists Vulnerability-related.DiscoverVulnerability in all Samsung Smartcam devices . “ The vulnerability occurs Vulnerability-related.DiscoverVulnerability because of improper sanitization of the iWatch firmware update filename , ” the group wrote Vulnerability-related.DiscoverVulnerability in a technical description of the vulnerability that also included a proof-of-concept exploit and instructions on how to patch Vulnerability-related.PatchVulnerability the flaw . “ A specially crafted request allows an attacker the ability to inject his own command providing the attacker remote root command execution ” . A request for comment from Samsung was not returned in time for publication . A Samsung contact told Threatpost that the vulnerability affects Vulnerability-related.DiscoverVulnerability only the SNH-1011 model and it will be removed Vulnerability-related.PatchVulnerability in an upcoming firmware update . The Exploitee.rs said they were motivated to look further at the cameras because of Samsung ’ s response to their first disclosure Vulnerability-related.DiscoverVulnerability . “ This angered a number of users and crippled the device from being used in any DIY monitoring solutions . So , we decided to audit the device once more to see if there is a way we can give users back access to their cameras while at the same time verifying the security of the devices new firmware ” . The original response looks especially weak in a climate where connected devices are being especially scrutinized for their security . “ While this flaw by default would not directly allow attacks from the Internet suitable for something like Mirai , it would be pretty trivial to use CSRF to infect devices on home networks , ” Tripwire principal security researcher Craig Young said . “ It is always disappointing when a vendor eliminates features rather than fixing Vulnerability-related.PatchVulnerability vulnerabilities as was the case in this camera ” . While the original issue from 2014 has been addressed , the Exploitee.rs wrote that what remains of the web interface includes a set of PHP scripts that allow the camera ’ s firmware to be updated through the iWatch webcam monitoring service . “ These scripts contain a command injection bug that can be leveraged for root remote command execution to an unprivileged user , ” they said . The researchers said Vulnerability-related.DiscoverVulnerability the flaw in iWatch can be exploited Vulnerability-related.DiscoverVulnerability through a special filename stored in a tar command that is passed to a php system call . “ Because the web-server runs as root , the filename is user supplied , and the input is used without sanitization , we are able to inject our own commands within to achieve root remote command execution , ” they said . ASUS patched Vulnerability-related.PatchVulnerability a bug that allowed attackers to pair two vulnerabilities to gain direct router access and execute commands as root