Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.
Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.
The most important of these issues is CVE-2022-22746, a race condition leading to the bypass of full-screen notification on Windows machines.
Next in line is CVE-2022-22743, another fullscreen spoof, this time affecting the browser window. The bug could allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe.
Both security defects were discovered by Irvan Kurniawan, who also found that it was possible to prevent a popup window from leaving fullscreen mode when resizing the popup while requesting fullscreen access (CVE-2022-22741).
[ READ: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]
Kurniawan also reported an out-of-bounds memory access leading to a potentially exploitable crash (CVE-2022-22742).
Other high-risk issues patched in Firefox 96 include two use-after-free flaws (CVE-2022-22740 and CVE-2022-22737), a heap-buffer overflow (CVE-2022-22738), and an iframe sandbox bypass using XSLT (CVE-2021-4140), according to a Mozilla advisory.
The medium severity bugs in the browser refersh also include a sandbox escape when passing resource handles across processes in Firefox for Windows and macOS, lack of URL restrictions when scanning QR codes in Firefox for Android, spoofed origin on external protocol launch dialog, leak of cross-origin URLs via securitypolicyviolation events, and command injection in the “Copy as curl” feature in DevTools.
The open-source group also addressed a series of memory safety bugs affecting both Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5 (CVE-2022-22751), along with medium severity memory safety bugs in Firefox 96 (CVE-2022-22752).
Related: Microsoft Calls Attention to ‘Wormable’ Windows Flaw
Related: Mozilla Patches High-Severity Flaws in Firefox, Thunderbird
Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature
More from Ionut Arghire
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
