CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress

SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws

Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.

Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.

Mozilla has released Firefox 96 with patches for 18 security vulnerabilities affecting its flagship web browser and the Thunderbird mail program.

Of the newly patched security flaws, nine are rated high-severity while six carry a “medium-severity” rating.

The most important of these issues is CVE-2022-22746, a race condition leading to the bypass of full-screen notification on Windows machines. 

Next in line is CVE-2022-22743, another fullscreen spoof, this time affecting the browser window. The bug could allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe.

Both security defects were discovered by Irvan Kurniawan, who also found that it was possible to prevent a popup window from leaving fullscreen mode when resizing the popup while requesting fullscreen access (CVE-2022-22741).

[ READ: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]

Kurniawan also reported an out-of-bounds memory access leading to a potentially exploitable crash (CVE-2022-22742). 

Other high-risk issues patched in Firefox 96 include two use-after-free flaws (CVE-2022-22740 and CVE-2022-22737), a heap-buffer overflow (CVE-2022-22738), and an iframe sandbox bypass using XSLT (CVE-2021-4140), according to a Mozilla advisory.

Advertisement. Scroll to continue reading.

The medium severity bugs in the browser refersh also include a sandbox escape when passing resource handles across processes in Firefox for Windows and macOS, lack of URL restrictions when scanning QR codes in Firefox for Android, spoofed origin on external protocol launch dialog, leak of cross-origin URLs via securitypolicyviolation events, and command injection in the “Copy as curl” feature in DevTools.

The open-source group also addressed a series of memory safety bugs affecting both Firefox 96, Firefox ESR 91.5, and Thunderbird 91.5 (CVE-2022-22751), along with medium severity memory safety bugs in Firefox 96 (CVE-2022-22752).

Related: Microsoft Calls Attention to ‘Wormable’ Windows Flaw

Related: Mozilla Patches High-Severity Flaws in Firefox, Thunderbird

Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Cut Through the Noise: Why Context is a Secret Weapon in ASPM
May 29, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.