Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws

Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.

Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.

Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.

Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.

The most important of these issues is CVE-2022-22746, a race condition leading to the bypass of full-screen notification on Windows machines. 

Next in line is CVE-2022-22743, another fullscreen spoof, this time affecting the browser window. The bug could allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe.

Both security defects were discovered by Irvan Kurniawan, who also found that it was possible to prevent a popup window from leaving fullscreen mode when resizing the popup while requesting fullscreen access (CVE-2022-22741).

[ READ: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]

Kurniawan also reported an out-of-bounds memory access leading to a potentially exploitable crash (CVE-2022-22742). 

Other high-risk issues patched in Firefox 96 include two use-after-free flaws (CVE-2022-22740 and CVE-2022-22737), a heap-buffer overflow (CVE-2022-22738), and an iframe sandbox bypass using XSLT (CVE-2021-4140), according to a Mozilla advisory.

The medium severity bugs in the browser refersh also include a sandbox escape when passing resource handles across processes in Firefox for Windows and macOS, lack of URL restrictions when scanning QR codes in Firefox for Android, spoofed origin on external protocol launch dialog, leak of cross-origin URLs via securitypolicyviolation events, and command injection in the “Copy as curl” feature in DevTools.

The open-source group also addressed a series of memory safety bugs affecting both Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5 (CVE-2022-22751), along with medium severity memory safety bugs in Firefox 96 (CVE-2022-22752).

Related: Microsoft Calls Attention to ‘Wormable’ Windows Flaw

Related: Mozilla Patches High-Severity Flaws in Firefox, Thunderbird

Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.