CISA has issued an alert on security updates for Mozilla Products, highlighting vulnerabilities in Firefox 114 and Firefox ESR 102.12. Exploiting these vulnerabilities in Mozilla Firefox could grant cybercriminals control over unpatched server systems.
On June 6, 2023, security updates for Firefox ESR 102.12 and Firefox 114 were released, addressing multiple vulnerabilities in Mozilla. The impact of these vulnerabilities is considered high. One of the fixed vulnerabilities, identified as CVE-2023-34414, involves click-jacking certificate exceptions through rendering lag.
Memory safety vulnerabilities in Mozilla were also addressed in the updates. In Firefox ESR 102.12 and Firefox 114, several bugs were fixed that could potentially lead to memory corruption and arbitrary code execution.
Another vulnerability, CVE-2023-34415, rated as moderate impact, involves site-isolation bypass on sites that allow open redirects to data: URLs.
Mozilla’s announces vulnerabilities in Firefox
The Mozilla Foundation Security Advisories released on June 6 addressed fixes for both Firefox 114 and Firefox ESR 102.12.
Vulnerabilities in Mozilla Firefox 114
The vulnerabilities in Mozilla Firefox 114 were as follows:
- CVE-2023-34414 – High severity bug
- CVE-2023-34415 – Moderate severity bug
- CVE-2023-34416 – High severity bug
- CVE-2023-34417 – High severity bug
The vulnerabilities in Mozilla Firefox ESR 102.12 were as follows:
- CVE-2023-34414 – High severity bug
- CVE-2023-34416 – High severity bug
The Mozilla Foundation Security advisory with reference to CVE-2023-34414 stated, “The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays.”
In this case, a user may accidentally click on a malicious page at a precise location before reaching a website that has a certificate error. In such scenarios, a gap might get created between the error page display.
A user clicking within the time of the gap could lead to overriding the certificate error for the website.
CVE-2023-34415, a site isolation bypass on sites that allow open redirects to data was associated with this vulnerability in Mozilla Firefox.
The URL from a redirect would load a document in the same process as the site that issued the redirect. This opened the way for Spectre-like attacks on sites with open redirects.
CVE-2023-34416 in Mozilla Firefox products was fixed in both Firefox 113 and Firefox ESR 102.11. The exploitation of this bug resulted in memory corruption on unpatched devices. It was noted that hackers may also be able to run arbitrary codes by exploiting the bugs in Mozilla Firefox products.
CVE-2023-34417 were memory safety bugs that were fixed in Firefox 114. Researchers found that exploitation of these bugs also resulted in memory corruption and allowed the running of arbitrary codes.
Addressing the vulnerabilities in Mozilla Firefox, the CISA advisory read, “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 114 and Firefox ESR 102.12 for more information and apply the necessary updates.”
The Cyber Express has reached out to Mozilla for details about the bugs. We will update this news report based on their response.
Previously patched vulnerabilities in Mozilla Firefox
Kaspersky noted several high-severity vulnerabilities in Mozilla Firefox which allowed hackers to spoof user interface, and run arbitrary codes. Hackers could also exploit the vulnerabilities in Mozilla Firefox versions prior to 112.0 to cause a DoS attack.
“Multiple vulnerabilities in Mozilla Firefox were found. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, cause a denial of service, obtain sensitive information, bypass security restrictions,” the Kaspersky report stated.
Among the noted vulnerabilities in Mozilla were:
- Data race vulnerability that could have been exploited to gain access to sensitive information on the compromised system.
- Out-of-bounds vulnerability leading to DoS attacks.
- Memory corruption vulnerability in Garbage Collection leading to remotely causing a DoS attack or running arbitrary codes.
- Remote code execution vulnerability to execute arbitrary code.
- Security vulnerability in the bind function can be exploited to bypass security measures.
- Use after free vulnerability leading to DoS attack and running arbitrary codes.
- Memory safe vulnerability to execute arbitrary code.
- Double free memory address vulnerability to cause DoS attack or execute arbitrary code.
- Information disclosure vulnerability to gain access to sensitive information.
- Security UI vulnerability leading to spoofing user interface.