Sunday, July 14, 2024
EHA

Firefox, ESR, and Thunderbird Memory Safety Bugs Could Allow Unauthorized Code Execution

Firefox has released patches for some of its high and moderate vulnerabilities in Firefox, ESR (Extended Support Release), and Thunderbird products. These vulnerabilities were privately disclosed, and appropriate CVEs and security advisories have been released.

The severity of the released list of vulnerabilities accounts for 4 High, 1 Low, and 8 Moderate.

High Severity Vulnerabilities:

CVE-2023-37201: Use-after-free in WebRTC certificate generation

This vulnerability exists due to the use-after-free condition in which a pointer to the memory is not cleared even after the memory location is freed up.

An attacker can use this to hack the program and use it for malicious purposes. The CVSS Score for this vulnerability is not published yet.

CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey

This vulnerability exists in the SpiderMonkey, an open-source JS and WebAssembly engine developed by the Mozilla Foundation. SpiderMonkey has a cross-compartment wrapping feature that wraps a scripted proxy.

This feature allows objects from other compartments to be stored in the main compartment leading to a use-after-free condition.

The CVSS Score and vector for this vulnerability are yet to be published.

CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

This is a memory corruption vulnerability in the Firefox 114, ESR 102.13, and Thunderbird 102.13 versions that attackers could exploit to run arbitrary codes in the system.

The CVSS Score and vector for this vulnerability are yet to be published.

CVE-2023-37212: Memory safety bugs fixed in Firefox 115

This is a memory corruption vulnerability present in Firefox 114 that threat actors can exploit to run arbitrary codes in the systems.

The CVSS Score and vector for this vulnerability are yet to be published.

Medium Severity Vulnerabilities

CVE(s)Description
CVE-2023-3482Block all cookies bypass for localstorage
CVE-2023-37203Drag and Drop API may provide access to local system files
CVE-2023-37204Fullscreen notification obscured via option element
CVE-2023-37205URL spoofing in address bar using RTL characters
CVE-2023-37206Insufficient validation of symlinks in the FileSystem API
CVE-2023-37207Fullscreen notification obscured
CVE-2023-37208Lack of warning when opening Diagcab files
CVE-2023-37209Use-after-free in `NotifyOnHistoryReload`
CVE-2023-37210Full-screen mode exit prevention

Affected Products and Fixed Versions

The mentioned vulnerabilities affect Firefox version 114. In order to fix these vulnerabilities, users are recommended to upgrade their Firefox to version 115.

With more than 392 million users, Firefox stands as one of the most used browsers in the world due to its features and security. Security researchers globally prefer Firefox over any other browsers due to its usability and convenience.

“AI-based email security measures Protect your business From Email Threats!” – .

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles