Mozilla Foundation has published patches for several vulnerabilities in its security advisory 2023-15. The latest Mozilla vulnerability update covered security vulnerabilities in Thunderbird 102.10, which had flaws ranging from high, and moderate to low severity.
According to the Mozilla vulnerability update, 21 bugs including high-rated ones such as CVE-2023-29550, CVE-2023-0547, and CVE-2023-29536 were fixed.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” said an assessment report of the latest Mozilla vulnerability update by cybersecurity company Tenable.
Mozilla Thunderbird works on an open-source cross-platform. It offers free email services that allow users to manage their personal information using the several options available on the platform.
Mozilla vulnerability update: Details of bugs
- CVE-2023-29531 was a high-severity out-of-bound memory access vulnerability that could have allowed hackers access via WebGL APIs. This vulnerability was found to impact macOS only.
- CVE-2023-29532, a high-severity vulnerability allowed evading the Mozilla Maintenance Service and having an unsigned update to be applied by directing users to a malicious SMB server. This flaw impacted Windows alone.
- CVE-2023-29533 would have allowed covering the fullscreen notification by misusing the open requests, window.name assignments and setInterval calls. Spoofing attacks were also a possibility by exploiting this high-severity vulnerability.
- The Double-free in libwebp vulnerability MFSA-TMP-2023-0001 could have allowed the running of arbitrary codes and corruption of the memory. It was a high-severity vulnerability.
Besides the above-mentioned vulnerabilities, the the Mozilla vulnerability update also addressed CVE-2023-29536, CVE-2023-0547, CVE-2023-29479, CVE-2023-29539, etc. These flaws allowed cybercriminals to access the Thunderbird user interface, had the memory manager skip detecting the attacker-controlled memory, and accept revoked certificates.
Revelations about vulnerabilities and security updates
A total of 206059 vulnerabilities were added to the National Vulnerability Database in 2022, according to reports.
Hackers always look for flaws in the software to launch ransomware, gain initial access to the systems, and exploit the device with unauthorized access.
Nearly 18% of all cyberattacks were launched exploiting vulnerabilities in 2021. Hence, it is imperative to focus on updating software as end users.
84% of companies were found to garner high-risk vulnerabilities that were not patched despite making updates available. A Veracode report highlighted that 80% of companies miss addressing new vulnerabilities in the first 1.5 years of the first scan.
Organizations also need to pay just as much attention to hunting bugs because one flaw could give access to all the employees’ systems across networks. With software updates and installation being as easy as a touch of a button, this must be diligently done regularly.
70% of applications were found to have at least one vulnerability in the first five years of its launch. Negligence in updating software can cause hefty damage to financial entities because the likelihood of critical vulnerabilities increases to 8% in payment-related applications.
Vulnerabilities, security updates, and the urgency of patching
Organizations tend to be laid-back when it comes to patching and vulnerability management, The Cyber Express found in January.
Take the case of the Microsoft alert on CVE-2022-37958, issued in December 2022. The warning clearly mentioning that the bug patched in September 2022 was still wormable.
A spot survey by The Cyber Express among its registered readers found that many are unaware of the bug.
According to the survey conducted among 32 CISO leaders from various industries and regions, it was found that only 17% of them took action to patch their systems after receiving an alert in December. Surprisingly, 43% of these leaders were yet to ensure a complete update of their systems.
Interestingly, some of the survey respondents questioned the urgency for the patch, implying a lack of concern about the importance of system security.
Dan Richings, SVP – Global Presales and Solutions Engineering at Adaptiva, identified several challenges that lead to poor patch management in companies.
These include overwhelming employees with constant patch influxes, difficulties in prioritizing updates, remote work complications, lack of communication between IT teams, outdated change management processes, flawed patches, and manual patching processes.