Mozilla Foundation releases Firefox 84 browser, repairing many flaws and providing general performance gains and Apple processor aid.
A Mozilla Basis update to the Firefox web browser, launched Tuesday, tackles one particular critical vulnerability and a handful of significant-severity bugs. The update, produced as Firefox variation 84, is also billed by Mozilla as boosting the browser’s overall performance and adding native aid for macOS hardware running on its have Apple processors.
In overall, 6 superior-severity flaws were being set, in addition to the critical bug, tracked as CVE-2020-16042. The unique critical bug in Firefox was also highlighted before this month in Google’s Chrome browser security update, exactly where it was rated as a higher-severity flaw.
The Firefox and Chrome bug in dilemma (CVE-2020-16042) is continue to not completely explained by both browser maker, and is only stated as a memory bug.
Mystery Bug Also Impacts Google Chrome Web Browser
“[These] are truly a critical attack vector that can be reliably exploited by hackers to launch privilege-escalation attacks in the Linux kernel,” according to 2017 investigate published by the Ga Institute of Technology.
The CVE was also referenced last week by Microsoft, as component of its December Patch Tuesday list of bugs impacting its Edge browser version 87..664.57. Microsoft’s Edge browser, release in January 2020, is primarily based on Google’s open up-resource software package task Chromium. The Chromium resource code is applied in Google’s Chrome browser and Microsoft’s 2020 Edge browser.
Mozilla’s Firefox browser is not Chromium based. WASM is supported in Mozilla Firefox and Apple Safari, even even though equally do not use Google’s V8. Some clues as to the character of the bug can be derived by the fact the bug impacts both equally the Firefox and Chrome browser – the popular denominator is WASM. In addition, a 2018 evaluation of WASM and V8 bugs warned of possible security issues.
In 2018, Google’s Challenge Zero released study titled “The Troubles and Assure of WebAssembly” and recognized a few vulnerabilities, which were mitigated. A person potential WASM threats, Google warned, was tied to WebAssembly’s garbage collector (GC) functionality.
WebAssembly the Culprit?
As for Google, it warned in 2018:
“WebAssembly GC is one more prospective characteristic of WebAssembly that could lead to security troubles. At this time, some uses of WebAssembly have functionality challenges because of to the lack of bigger-stage memory management in WebAssembly. For illustration, it is complicated to carry out a performant Java Virtual Equipment in WebAssembly. If WebAssembly GC is applied, it will enhance the amount of applications that WebAssembly can be made use of for, but it will also make it more likely that vulnerabilities related to memory management will come about in both equally WebAssembly engines and programs composed in WebAssembly.”
At both equally nationwide vulnerability database repositories, MITRE and NIST, the specialized particulars of the CVE have however to be publicly disclosed. In Google’s December Security Bulletin, it pointed out details tied to CVE-2020-16042 and other bugs have been remaining withheld, “until a bulk of consumers are current with a resolve.” It also noted that when and if bugs exist in third-party code libraries used in other equipment or platforms, complex particulars of the bugs are confined.
Credited for getting the bug is bug hunter André Bargull, who originally claimed the bug on November 23, in accordance to Google.
Six Superior-Severity Firefox Bugs
Memory issues dominated the list of superior-severity bugs patched by Mozilla Tuesday. Two “memory safety bugs” (CVE-2020-35114 and CVE-2020-35113) were being patched. Both CVEs tackled bugs in Firefox 84 and its massive-organization Firefox prolonged aid release (ESR) 78.6 browser.
“Some of these bugs confirmed proof of memory corruption and we presume that with sufficient exertion some of these could have been exploited to operate arbitrary code,” Mozilla wrote of the two bugs.
Also tied to browser memory are bugs tracked as CVE-2020-26971, CVE-2020-26972 and CVE-2020-26973, which contain a heap-buffer-overflow in WebGL, use-following-no cost in WebGL and a CSS sanitizer carried out incorrect sanitization flaw.
Place Ransomware on the Operate: Conserve your place for “What’s Following for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware planet and how to combat again.
Get the newest from John (Austin) Merritt, Cyber Risk Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Govt Security Advisor at IBM Security on new kinds of attacks. Subjects will include things like the most perilous ransomware danger actors, their evolving TTPs and what your organization needs to do to get in advance of the future, unavoidable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
Some parts of this post are sourced from: