Have you updated your Firefox browser? Mozilla just released security updates addressing eight vulnerabilities, five of which rated as high-risk. To be protected against the attacks, users should be running Firefox 77.
If you haven’t restarted your Firefox browser in a while, you should.
8 Firefox Vulnerabilities Discovered
Three of the five high-risk flaws could allow arbitrary code execution. In the context of a web browser this means that loading a malicious page could easily lead to malware infections on the system. Fortunately, these bugs were discovered by Mozilla’s own developers.
Mozilla developers Tom Tung and Karl Tomlinson discovered the high-risk CVE-2020-12410 bugs, described as memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla says.
Next on the list of the most dangerous bugs addressed in Firefox 77 is CVE-2020-12406, or a JavaScript type confusion with NativeTypes. Reported by Iain Ireland, a Mozilla developer, the bug could lead to arbitrary code execution. The bug is caused by a missing type check during unboxed objects removal, resulting in a crash.
The third vulnerability discovered in-house is CVE-2020-12411. The memory safety bugs were discovered by Mozilla developers by Gijs (he/him), Randell Jesup who reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and Mozilla researchers presume that “with enough effort some of these could have been exploited to run arbitrary code”.
CVE-2020-12399 is another example of the five high-severity vulnerabilities. It is described as a timing attack on DSA signatures in NSS library. The bug was reported by Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University. The impact of the vulnerabilities is considered high. According to the official Mozilla advisory, NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.
Another high-severity issue is CVE-2020-12405, or a use-after-free in SharedWorkerService vulnerability, reported by Marcin ‘Icewall’ Noga of Cisco Talos. When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash, the advisory described.
The most serious bug of the remaining three vulnerabilities is CVE-2020-12407, rated as moderate. The flaw is related to GPU memory leak:
Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content.
Finally, CVE-2020-12408 and CVE-2020-12409 are both considered low-risk and are related to URL spoofing. They were reported by by independent researcher Rayyan Bijoora.