Mozilla on Wednesday announced security updates for both Firefox and Thunderbird, to patch 15 vulnerabilities, including five rated ‘high severity’.
The first high-severity flaw is an out-of-bounds write in ANGLE (Almost Native Graphics Layer Engine), the open source graphics engine used as the default WebGL backend in both Firefox and Chrome.
Tracked as CVE-2024-0741, the issue could be exploited to corrupt memory and cause a crash that could potentially lead to denial of service or arbitrary code execution.
The second issue, CVE-2024-0742, is described as a “failure to update user input timestamp”, allowing the user to unintentionally activate or dismiss certain browser prompts and dialogs.
Mozilla also patched a medium-severity bug that “could have allowed an attacker to set an arbitrary URI in the address bar or history,” and another where “a phishing site could have repurposed an about: dialog to show phishing content with an incorrect origin in the address bar”.
All the remaining vulnerabilities are medium-severity flaws leading to crashes, bypass of Content Security Policy, permissions request bypass, privilege escalation, or HSTS policy bypass.
Firefox 122 was released on January 23 with patches for all 15 security defects. Mozilla also pushed out Thunderbird 115.7 and Firefox ESR 115.7 with patches for nine of the bugs.
Mozilla makes no mention of any of these vulnerabilities being exploited in the wild. Additional information on the resolved issues can be found on the browser maker’s security advisories page.