Firefox, ESR, and Thunderbird Memory Safety Bugs


Firefox has released patches for some of its high and moderate vulnerabilities in Firefox, ESR (Extended Support Release), and Thunderbird products. These vulnerabilities were privately disclosed, and appropriate CVEs and security advisories have been released.

The severity of the released list of vulnerabilities accounts for 4 High, 1 Low, and 8 Moderate.

CSN

High Severity Vulnerabilities:

CVE-2023-37201: Use-after-free in WebRTC certificate generation

This vulnerability exists due to the use-after-free condition in which a pointer to the memory is not cleared even after the memory location is freed up.

An attacker can use this to hack the program and use it for malicious purposes. The CVSS Score for this vulnerability is not published yet.

CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey

This vulnerability exists in the SpiderMonkey, an open-source JS and WebAssembly engine developed by the Mozilla Foundation. SpiderMonkey has a cross-compartment wrapping feature that wraps a scripted proxy.

This feature allows objects from other compartments to be stored in the main compartment leading to a use-after-free condition.

The CVSS Score and vector for this vulnerability are yet to be published.

CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

This is a memory corruption vulnerability in the Firefox 114, ESR 102.13, and Thunderbird 102.13 versions that attackers could exploit to run arbitrary codes in the system.

The CVSS Score and vector for this vulnerability are yet to be published.

CVE-2023-37212: Memory safety bugs fixed in Firefox 115

This is a memory corruption vulnerability present in Firefox 114 that threat actors can exploit to run arbitrary codes in the systems.

The CVSS Score and vector for this vulnerability are yet to be published.

Medium Severity Vulnerabilities

CVE(s) Description
CVE-2023-3482 Block all cookies bypass for localstorage
CVE-2023-37203 Drag and Drop API may provide access to local system files
CVE-2023-37204 Fullscreen notification obscured via option element
CVE-2023-37205 URL spoofing in address bar using RTL characters
CVE-2023-37206 Insufficient validation of symlinks in the FileSystem API
CVE-2023-37207 Fullscreen notification obscured
CVE-2023-37208 Lack of warning when opening Diagcab files
CVE-2023-37209 Use-after-free in `NotifyOnHistoryReload`
CVE-2023-37210 Full-screen mode exit prevention

Affected Products and Fixed Versions

The mentioned vulnerabilities affect Firefox version 114. In order to fix these vulnerabilities, users are recommended to upgrade their Firefox to version 115.

With more than 392 million users, Firefox stands as one of the most used browsers in the world due to its features and security. Security researchers globally prefer Firefox over any other browsers due to its usability and convenience.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.



Source link