Tuesday, July 16, 2024

Firefox Memory Corruption Flaw Let Attacker Execute Arbitrary Code

Mozilla Firefox 119 was released with updates for 11 vulnerabilities, including three issues of high severity, seven issues of moderate severity, and one issue of low severity.

Particularly, the browser update also fixes several memory safety flaws that are classified as CVE-2023-5730 and CVE-2023-5731, which could allow an attacker to run arbitrary code.

High-Severity Issues Addressed

The security flaw tracked as CVE-2023-5721, Queued up rendering, might have allowed websites to clickjack.

Due to an insufficient activation delay, certain browser prompts and dialogues might be triggered or rejected accidentally by the user. The issue was reported by Kelsey Gilbert.

The subsequent high-severity vulnerability is identified as CVE-2023-5730. Memory safety issues have been fixed in Thunderbird 115.4.1, Firefox 119, and Firefox ESR 115.4.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”, Mozilla said.

The issue was reported by Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team.

Additionally, the issue tracked as CVE-2023-5731, Memory safety bugs fixed in Firefox 119.

Mozilla stated that this memory corruption lets attackers run arbitrary code.

Moderate and Low Severity Issues Fixes

Patches for seven moderate-severity flaws that resulted in the bypass of download protections (CVE-2023-5727), crashes (CVE-2023-5724), unexpected errors (CVE-2023-5723), the opening of arbitrary URLs (CVE-2023-5725), and obscured full-screen notifications (CVE-2023-5729) were also included in Firefox 119.

A low severity flaw tracked as CVE-2023-5729, the Fullscreen notification dialog could have been obscured by WebAuthn prompts, has been fixed.

Along with Firefox 119, Mozilla also announced the release of Thunderbird 115.4.1 and Firefox ESR 115.4, which include updates for eight vulnerabilities, including CVE-2023-5721 and CVE-2023-5730.

Mozilla has no disclosure about any of these vulnerabilities being used in malicious activities.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles