We advise you to check whether you’re running the latest version of the Firefox browser. Mozilla just fixed several vulnerabilities, one critical and several high-severity. The update is included in Firefox version 84, and it also boosts Firefox’s performance adding native support for macOS hardware running on Apple processors.
The critical vulnerability is known as CVE-2020-16042. It is noteworthy that the same critical bug was also addressed recently in a Google Chrome security update. However, Google rated it as high in terms of severity. Furthermore, neither Mozilla nor Google have provided a technical description of the severe issue, which is only highlighted as a memory bug.
According to Mozilla’s security advisory, CVE-2020-16042 is an issue in BigInt, a JavaScript component that could have triggered uninitialized memory to be exposed. Google’s description is different, as the bug is referred to as “uninitialized-use” affecting Chrome’s V8 JavaScript engine. Google’s security advisory also doesn’t specify the nature of the vulnerability. What is known is that these types of bugs are largely neglected and taken for “insignificant memory errors.”
What about the rest of the vulnerabilities Mozilla addressed in Firefox 84?
As already mentioned, the rest of the bugs are rated as high-severity. Two of them are described as “memory safety bugs” – CVE-2020-35114 and CVE-2020-35113. „Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,“ the advisory says. Both patches addressed issues in Firefox 84 and ESR 78.6 browser.
Other vulnerabilities associated with browser memory are CVE-2020-26971, CVE-2020-26972 and CVE-2020-26973.
More information is available in Mozilla’s security advisory.
Earlier this year, Firefox patched an information disclosure vulnerability. CVE-2020-12418, discovered by Cisco Talos, could be exploited by tricking the user into visiting a specially crafted web page via the browser. In case of a successful exploit, the threat actor could use leaked memory to bypass ASLR (Address Space Layout Randomization). If the flaw is combined with other bugs, the attacker could obtain the ability to execute arbitrary code, the researchers warn.