Mozilla Firefox, Firefox ESR, and Thunderbird Security Updates

Posted by Author Pallavi Pangavhane on Posted on
Overview:

Mozilla has released a security advisory to address multiple vulnerabilities. By exploiting these vulnerabilities, an attacker could take control of a vulnerable system.

In this security updates, Mozilla addressed total 8 vulnerabilities in Firefox, Firefox ESR, and Thunderbird.  Out of 8, five vulnerabilities flagged as High, one rated as Moderate, two rated as Low in severity.

Timing Attack , Use-after-free and Arbitrary Code Execution has High Severity:

Remote Code Execution

Type confusion vulnerability CVE-2020-12406, reported by Mozilla Developer Iain Ireland. Missing type check occurred, during unboxed JavaScript objects removal which results in a crash. Successful exploitation of this vulnerability may allow to run arbitrary code.

Memory safety vulnerability CVE-2020-12410, reported by Mozilla developers Tom Tung and Karl Tomlinson. Successful exploitation of this vulnerability may allow to run arbitrary code.

Memory safety vulnerability CVE-2020-12411, reported by Mozilla developers Gijs and Randell Jesup. Successful exploitation of this vulnerability may allow to run arbitrary code.

Timing Attack Vulnerability

Vulnerability CVE-2020-12399, reported by security researcher Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University.  Successful exploitation of this vulnerability could expose users private key.

Use-after-free

Vulnerability CVE-2020-12405, reported by security researcher Marcin ‘Icewall’ Noga of Cisco Talos.  While browsing a malicious page, a race condition in SharedWorkerService could occur that leads to a potentially exploitable crash.

Medium Severity:

Memory leak vulnerability

Moderate severity vulnerability CVE-2020-12407, reported by Mozilla Developer Nicolas Silva. While using GPU-based 2D rendering engine WebRender, firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content not observable from web content.

Low Severity:

URL Spoofing

Two low severity URL Spoofing vulnerabilities CVE-2020-12408 and CVE-2020-12409, reported by independent security researcher Rayyan Bijoora.

Affected version:

  • Firefox prior to 77.
  • Firefox ESR prior to 68.9
  • Thunderbird prior to 68.9.0

Advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/

Mitigation:

Qualys Threat Research Lab provides detection of the vulnerabilities with the QID(s)# 372825, 372835. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities

Sources and References:

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *