Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Firefox 95 started rolling out to users earlier this week with the new RLBox isolation technology inside, meant to improve protections from web attacks by sandboxing potentially problematic subcomponents.

The browser refresh also includes patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.

If successfully exploited, the most severe of these security errors could allow an attacker to execute arbitrary code within the context of the vulnerable application, which could potentially lead to full system compromise.

The first of these high-severity vulnerabilities could result in the target URL being exposed during navigation when asynchronous functions are executed (CVE-2021-43536). Another one is a heap buffer overflow caused by the “incorrect type conversion of sizes from 64bit to 32bit integers” (CVE-2021-43537).

Mozilla also patched a potential spoofing attack where the full screen and pointer lock notification would be missing when requesting both (CVE-2021-43538), and a use-after-free caused by the GC not tracing live pointers (CVE-2021-43539).

Mozilla shipped patches for these four high-severity vulnerabilities to Firefox, Firefox ESR and Thunderbird users. Additionally, it addressed a high-severity use-after-free flaw in Firefox for macOS.

The browser maker also released patches for high-severity memory safety bugs that were found in the previous iterations of its applications, along with fixes for several medium- and low-severity vulnerabilities.

Advertisement. Scroll to continue reading.

Looking to raise awareness of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued an advisory to encourage organizations to apply the available patches as soon as possible.

“Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature

Related: Google Patches Serious Use-After-Free Vulnerabilities in Chrome

Related: Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.