Mozilla patches high-severity security flaws in new ‘speedy’ Firefox release

Shutterstock

Mozilla has introduced patches for 11 security vulnerabilities across its most recent Firefox and Thunderbird variations, 5 of which have been assigned a ‘high’ severity rating.

The vulnerabilities have an affect on the most up-to-date Firefox 105 edition introduced this week as perfectly as Firefox Prolonged Support Release (ESR) 102.3, and Mozilla’s open source email shopper Thunderbird 91.13.1.

A person of the most really serious bugs affects both of those the latest Firefox 105 and Firefox ESR browsers, probably allowing for code execution.

The vulnerability, tracked as CVE-2022-40962, was discovered by Mozilla’s have Fuzzing Workforce which observed memory corruption issues that could have been exploited to operate arbitrary code “with enough effort”.

It’s not apparent what this hard work may well entail but code execution is just one of the most really serious vulnerabilities that can affect a technique, letting attackers to execute a vary of duties these as putting in malware, exfiltrating data, and thieving credentials.

Wider improvements to memory managing were 1 of the standout new characteristics that Mozilla delivered to Firefox with the release of version 105 earlier this 7 days, in a addition to an general increase browser pace.

The browser’s security is mentioned to be improved many thanks to the way in which it now handles minimal-memory conditions superior. Mozilla stated Firefox is also now a lot less very likely to run out of memory on Linux, accomplishing far better on units when method-extensive memory is minimal.

Some of the other superior-severity issues set concerned a pair of vulnerabilities impacting Firefox 105 ended up set due to each of them leading to probably exploitable crashes. 

In the case of CVE-2022-3266, an out-of-bounds read mistake could come about when a person attempted to decode a movie which was encoded with the well known H.264 file compression codec.

The other was a use-right after-totally free issue once more possibly creating an exploitable crash in conditions in which concurrent use of the browser’s URL parser with non-UTF-8 facts was not thread-safe. Non-UTF-8 info refers to people that can not be encoded by the UTF-8 Unicode standard.

CVE-2022-40959 is a vulnerability in Firefox 105 that led to machine permissions leaked to untrusted files. This occurred when specific internet pages didn’t initialise their FeaturePolicy all through iframe navigation.

The final significant-severity flaw impacted Thunderbird and could most likely direct to JavaScript code execution.

It could be exploited if a consumer replied to a specifically crafted email made up of a meta tag which experienced the ‘http-equiv=”refresh” attribute and the articles attribute specifying an URL. In this state of affairs, Thunderbird would commence a network ask for to that URL and when blended with other HTML components and attributes, code execution could be attained.

“The JavaScript code was in a position to carry out actions together with, but possibly not confined to, study and modify the contents of the concept compose document, which includes the quoted authentic message, which could probably consist of the decrypted plaintext of encrypted data in the crafted email,” reported Mozilla.

“The contents could then be transmitted to the network, either to the URL specified in the meta refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document.”

The US’ Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert pointing to the security advisories for Firefox and Thunderbird, advising people and program administrators to utilize the essential patches.

Some components of this posting are sourced from:
www.itpro.co.uk