Security Experts:

Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.

Firefox 95 started rolling out to users earlier this week with the new RLBox isolation technology inside, meant to improve protections from web attacks by sandboxing potentially problematic subcomponents.

The browser refresh also includes patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.

If successfully exploited, the most severe of these security errors could allow an attacker to execute arbitrary code within the context of the vulnerable application, which could potentially lead to full system compromise.

The first of these high-severity vulnerabilities could result in the target URL being exposed during navigation when asynchronous functions are executed (CVE-2021-43536). Another one is a heap buffer overflow caused by the “incorrect type conversion of sizes from 64bit to 32bit integers” (CVE-2021-43537).

Mozilla also patched a potential spoofing attack where the full screen and pointer lock notification would be missing when requesting both (CVE-2021-43538), and a use-after-free caused by the GC not tracing live pointers (CVE-2021-43539).

Mozilla shipped patches for these four high-severity vulnerabilities to Firefox, Firefox ESR and Thunderbird users. Additionally, it addressed a high-severity use-after-free flaw in Firefox for macOS.

The browser maker also released patches for high-severity memory safety bugs that were found in the previous iterations of its applications, along with fixes for several medium- and low-severity vulnerabilities.

Looking to raise awareness of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued an advisory to encourage organizations to apply the available patches as soon as possible.

“Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 95 Rolls Out With New 'RLBox' Isolation Feature

Related: Google Patches Serious Use-After-Free Vulnerabilities in Chrome

Related: Mozilla Rolling Out 'Site Isolation' With Release of Firefox 94

view counter