Mozilla released a new version of its Firefox browser (100.0.2) fixing a set of two critical security vulnerabilities. The patches make this minor update quite significant in importance. Affected versions include Firefox, Firefox ESR, Firefox for Android, and Thunderbird (Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, Thunderbird 91.9.1).
You should update your browser immediately, as both could have a critical impact in case of a successful exploit.
Vulnerabilities Fixed in Mozilla Firefox Version 100.0.2
The latest update fixes two critical issues: CVE-2022-1802 and CVE-2022-1529.
The first vulnerability was discovered by Manfred Paul and reported via Trend Micro’s Zero Day Initiative. According to Mozilla’s advisory, “if an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.”
The second vulnerability has been reported by the same researcher, and it also involves JavaScript. “An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process,” as per the advisory.
In March, Mozilla released two out-of-band updates to address a couple of critical zero-day vulnerabilities in its browser. Both vulnerabilities were actively exploited in the wild. The two zero-days, CVE-2022-26485 and CVE-2022-26486, stemmed from use-after-free issues affecting the Extensible Stylesheet Language Transformations (XSLT) parameter processing, as well as the WebGPU inter-process communication framework (IPC).