High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome


Mozilla and Google on Tuesday announced the release of stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues.

Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated ‘high severity’, four of which are described as memory corruption bugs affecting the browser’s IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components.

Reported by the same security researcher (known as sonakkbi) and tracked as CVE-2023-4573, CVE-2023-4574, and CVE-2023-4575 the first three flaws “could have led to a use-after-free causing a potentially exploitable crash,” Mozilla explains in its advisory.

Tracked as CVE-2023-4577, the fourth vulnerability could have led to a potentially exploitable crash as well.

Mozilla also patched a high-severity integer overflow (CVE-2023-4576) in the RecordedSourceSurfaceCreation component of Firefox for Windows, resulting in “a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape”.

Firefox 117 also addresses multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-4584 and CVE-2023-4585 and which also impact Firefox ESR and Thunderbird.

The remaining six issues addressed with this browser release are medium- and low-severity vulnerabilities that could lead to site spoofing, sensitive information leaks, the download of files without a warning of their potential harm, a buffer overflow, or browser context not being cleared when closing a private window.

Advertisement. Scroll to continue reading.

On Tuesday, the browser maker also announced the release of Firefox ESR 115.2 with patches for 14 vulnerabilities, including 12 resolved in Firefox 117. Additionally, Mozilla released Firefox ESR 102.15 with patches for six vulnerabilities.

More information on these vulnerabilities can be found on Mozilla’s security advisories page.

Google on Tuesday released its second weekly update for Chrome, now rolling out as version 116.0.5845.140 for macOS and Linux and as versions 116.0.5845.140/.141 for Windows.

The Chrome update resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Such issues may often be exploited to escape Chrome’s sandbox and achieve remote code execution, if combined with other vulnerabilities.

Mozilla and Google make no mention of any of these flaws being exploited in attacks.

Related: Firefox 116 Patches High-Severity Vulnerabilities

Related: First Weekly Chrome Security Update Patches High-Severity Vulnerabilities

Related: Chrome 116 Patches 26 Vulnerabilities



Source link