Firefox Memory Corruption Flaw Let Attacker Execute Arbitrary Code

Mozilla Firefox 119 was released with updates for 11 vulnerabilities, including three issues of high severity, seven issues of moderate severity, and one issue of low severity.

Particularly, the browser update also fixes several memory safety flaws that are classified as CVE-2023-5730 and CVE-2023-5731, which could allow an attacker to run arbitrary code.

High-Severity Issues Addressed

The security flaw tracked as CVE-2023-5721, Queued up rendering, might have allowed websites to clickjack.

Due to an insufficient activation delay, certain browser prompts and dialogues might be triggered or rejected accidentally by the user. The issue was reported by Kelsey Gilbert.

The subsequent high-severity vulnerability is identified as CVE-2023-5730. Memory safety issues have been fixed in Thunderbird 115.4.1, Firefox 119, and Firefox ESR 115.4.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code”, Mozilla said.

The issue was reported by Jed Davis, Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team.

Additionally, the issue tracked as CVE-2023-5731, Memory safety bugs fixed in Firefox 119.

Mozilla stated that this memory corruption lets attackers run arbitrary code.

Moderate and Low Severity Issues Fixes

Patches for seven moderate-severity flaws that resulted in the bypass of download protections (CVE-2023-5727), crashes (CVE-2023-5724), unexpected errors (CVE-2023-5723), the opening of arbitrary URLs (CVE-2023-5725), and obscured full-screen notifications (CVE-2023-5729) were also included in Firefox 119.

A low severity flaw tracked as CVE-2023-5729, the Fullscreen notification dialog could have been obscured by WebAuthn prompts, has been fixed.

Along with Firefox 119, Mozilla also announced the release of Thunderbird 115.4.1 and Firefox ESR 115.4, which include updates for eight vulnerabilities, including CVE-2023-5721 and CVE-2023-5730.

Mozilla has no disclosure about any of these vulnerabilities being used in malicious activities.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.