Saturday, July 20, 2024

Firefox 127 Released With patch for 15 Vulnerabilities

Mozilla has released Firefox 127, addressing 15 security vulnerabilities, some of which have been rated as high impact.

This update is crucial for users to ensure their browsing experience remains secure.

Below is a detailed breakdown of the vulnerabilities fixed in this release.

CVE-2024-5687: An Incorrect Principal Could Have Been Used When Opening New Tabs

Reporter: jackyzy823
Impact: High
Description: When opening a new tab, a specific sequence of actions could result in an incorrect triggering principle.

This principle is crucial for calculating values like the Referer and Sec- headers, potentially leading to incorrect security checks and misleading information sent to remote websites.

This bug affects only Firefox for Android.

References: Bug 1889066

CVE-2024-5688: Use-After-Free in JavaScript Object Transplant

Reporter: Lukas Bernhard
Impact: High
Description: A use-after-free vulnerability could occur during object transplant if garbage collection is triggered correctly.

References: Bug 1895086

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

CVE-2024-5689: User Confusion and Possible Phishing Vector via Firefox Screenshots

Reporter: Fabian Fäßler
Impact: Moderate
Description: A website could overlay the ‘My Shots’ button that appears when a user takes a screenshot, directing them to a replica Firefox Screenshots page, potentially used for phishing.

References: Bug 1389707

CVE-2024-5690: External Protocol Handlers Leaked by Timing Attack

Reporter: Satoki Tsuji
Impact: Moderate
Description: An attacker could guess which external protocol handlers were functional on a user’s system by monitoring the time certain operations take.

References: Bug 1883693

CVE-2024-5691: Sandboxed Iframes Bypassing Sandbox Restrictions to Open a New Window

Reporter: Luan Herrera
Impact: Moderate
Description: A sandboxed iframe could bypass restrictions to open a new window by tricking the browser with an X-Frame-Options header.

References: Bug 1888695

CVE-2024-5692: Bypass of File Name Restrictions During Saving

Reporters: Raphael Shaniyazov and Axel Chong (@Haxatron)
Impact: Moderate
Description: An attacker could trick the browser into saving a file with a disallowed extension on Windows by including an invalid character.

This issue only affects Windows operating systems.

References: Bug 1891234, Bug 1837514

CVE-2024-5693: Cross-Origin Image Leak via Offscreen Canvas

Reporter: Kirtikumar Anandrao Ramchandani
Impact: Moderate
Description: Offscreen Canvas did not correctly track cross-origin tainting, allowing access to image data from another site, violating the same-origin policy.

References: Bug 1891319

CVE-2024-5694: Use-After-Free in JavaScript Strings

Reporter: Lukas Bernhard
Impact: Moderate
Description: An attacker could cause a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap.

References: Bug 1895055

CVE-2024-5695: Memory Corruption Using Allocation Under Out-of-Memory Conditions

Reporter: Irvan Kurniawan
Impact: Moderate
Description: An out-of-memory condition during allocations in the probabilistic heap checker could trigger an assertion, potentially leading to memory corruption.

References: Bug 1895579

CVE-2024-5696: Memory Corruption in Text Fragments

Reporter: Irvan Kurniawan
Impact: Moderate
Description: Manipulating text in a <input> tag could cause memory corruption, leading to a potentially exploitable crash.

References: Bug 1896555

CVE-2024-5697: Website Able to Detect When Firefox Takes a Screenshot

Reporter: Wil Clouser
Impact: Low
Description: A website could detect when a user took a screenshot using Firefox’s built-in Screenshot functionality.

References: Bug 1414937

CVE-2024-5698: Data-List Could Overlay Address Bar

Reporter: Hafiizh
Impact: Low
Description: By manipulating the fullscreen feature while opening a data-list, an attacker could overlay a text box over the address bar, leading to user confusion and possible spoofing attacks.

References: Bug 1828259

Reporter: Konstantin Preißer
Impact: Low
Description: Cookie prefixes such as __Secure were ignored if not correctly capitalized, violating the spec that requires case-insensitive comparison.

References: Bug 1891349

CVE-2024-5700: Memory Safety Bugs Fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

Reporter: The Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 showed evidence of memory corruption, which could potentially be exploited to run arbitrary code.

References: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVE-2024-5701: Memory Safety Bugs Fixed in Firefox 127

Reporters: Randell Jesup and the Mozilla Fuzzing Team
Impact: High
Description: Memory safety bugs in Firefox 126 showed evidence of memory corruption, potentially exploitable to run arbitrary code.

References: Memory safety bugs fixed in Firefox 127.

Mozilla urges all users to update to Firefox 127 to ensure their browsers are protected against these vulnerabilities.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles