Mozilla has released a security advisory to address multiple vulnerabilities. By exploiting these vulnerabilities, an attacker could take control of a vulnerable system.
In this security updates, Mozilla addressed total 8 vulnerabilities in Firefox, Firefox ESR, and Thunderbird. Out of 8, five vulnerabilities flagged as High, one rated as Moderate, two rated as Low in severity.
Timing Attack , Use-after-free and Arbitrary Code Execution has High Severity:
Remote Code Execution
Memory safety vulnerability CVE-2020-12410, reported by Mozilla developers Tom Tung and Karl Tomlinson. Successful exploitation of this vulnerability may allow to run arbitrary code.
Memory safety vulnerability CVE-2020-12411, reported by Mozilla developers Gijs and Randell Jesup. Successful exploitation of this vulnerability may allow to run arbitrary code.
Timing Attack Vulnerability
Vulnerability CVE-2020-12399, reported by security researcher Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at Tampere University. Successful exploitation of this vulnerability could expose users private key.
Vulnerability CVE-2020-12405, reported by security researcher Marcin ‘Icewall’ Noga of Cisco Talos. While browsing a malicious page, a race condition in SharedWorkerService could occur that leads to a potentially exploitable crash.
Memory leak vulnerability
Moderate severity vulnerability CVE-2020-12407, reported by Mozilla Developer Nicolas Silva. While using GPU-based 2D rendering engine WebRender, firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content not observable from web content.
Two low severity URL Spoofing vulnerabilities CVE-2020-12408 and CVE-2020-12409, reported by independent security researcher Rayyan Bijoora.
- Firefox prior to 77.
- Firefox ESR prior to 68.9
- Thunderbird prior to 68.9.0
Qualys Threat Research Lab provides detection of the vulnerabilities with the QID(s)# 372825, 372835. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities
Sources and References: