Firefox Memory Corruption Flaw Let Attacker Execute Arbitrary Code

Mozilla Firefox 119 was released with updates for 11 vulnerabilities, including three issues of high severity, seven issues of moderate severity, and one issue of low severity.

Particularly, the browser update also fixes several memory safety flaws that are classified as CVE-2023-5730 and CVE-2023-5731, which could allow an attacker to run arbitrary code.

High-Severity Issues Addressed

The security flaw tracked as CVE-2023-5721, Queued up rendering, might have allowed websites to clickjack.

Due to an insufficient activation delay, certain browser prompts and dialogues might be triggered or rejected accidentally by the user. The issue was reported by Kelsey Gilbert.

The subsequent high-severity vulnerability is identified as CVE-2023-5730. Memory safety issues have been fixed in Thunderbird 115.4.1, Firefox 119, and Firefox ESR 115.4.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”, Mozilla said.

The issue was reported by Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team.

Additionally, the issue tracked as CVE-2023-5731, Memory safety bugs fixed in Firefox 119.

Mozilla stated that this memory corruption lets attackers run arbitrary code.

Moderate and Low Severity Issues Fixes

Patches for seven moderate-severity flaws that resulted in the bypass of download protections (CVE-2023-5727), crashes (CVE-2023-5724), unexpected errors (CVE-2023-5723), the opening of arbitrary URLs (CVE-2023-5725), and obscured full-screen notifications (CVE-2023-5729) were also included in Firefox 119.

A low severity flaw tracked as CVE-2023-5729, the Fullscreen notification dialog could have been obscured by WebAuthn prompts, has been fixed.

Along with Firefox 119, Mozilla also announced the release of Thunderbird 115.4.1 and Firefox ESR 115.4, which include updates for eight vulnerabilities, including CVE-2023-5721 and CVE-2023-5730.

Mozilla has no disclosure about any of these vulnerabilities being used in malicious activities.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Australian Pension Funds Hacked: Members Face Financial Losses

Several of Australia’s largest superannuation funds have been targeted in a coordinated cyberattack, leading to…

30 minutes ago

Frida Penetration Testing Toolkit Updated with Advanced Threat Monitoring APIs

In a significant update to the popular dynamic instrumentation toolkit Frida, developers have introduced powerful…

38 minutes ago

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability…

3 hours ago

Apache Traffic Server Flaw Allows Request Smuggling Attacks

A critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching proxy…

3 hours ago

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

15 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

15 hours ago