Mozilla released security updates for the Firefox browser and Thunderbird mail customer to handle multiple vulnerabilities, as well as many bugs, rated giant severity.
Firefox 95 began rolling out to users at the beginning of this week with the new RLBox isolation technology inside, which suggested improving protections from web attacks by sandboxing complex sub-components. The browser refresh also contains patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also incorporated in Firefox ESR 91.4 and Thunderbird 91.4.0. If successfully manipulated, the most powerful of these safety errors could permit an attacker to run arbitrary code within the context of the weak application, which could guide to full system compromise. The first of these high-severity exposures could result in the mark URL being exposed during navigation when asynchronous operations are performed (CVE-2021-43536). Another one is a heap cushion overflow generated by the “incorrect style conversion of sizes from 64bit to 32bit integers”. Mozilla also fixed a potential spoofing invasion where the full screen and pointed lock notification would be ignored when ordering both (CVE-2021-43538), and a use-after-free generated by the GC not outlining live pointers (CVE-2021-43539). Mozilla shipped patches for these four high-severity exposures to Firefox, Firefox ESR, and Thunderbird users. Further, it managed a high-severity use-after-free flaw in Firefox for macOS. The browser maker also removed patches for high-severity, remembering the bugs that were seen in the previous iterations of its applications, along with fixes for several medium- and low-severity vulnerabilities. Looking to raise comprehension of these exposures, the U.S. Cybersecurity and Infrastructure Security Agency on Wednesday gave an advisory to promote associations to apply the available patches as soon as possible. “Mozilla has published security updates to address susceptibilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of a manufactured system,” CISA notes.
Airzero sec's Cyber Security Consulting backs your organization with years of experience working on projects for some of the world’s largest organizations. Tap into that expertise on-demand to help your projects or as you implement technical controls. If you have any doubt about the above topic. Don’t hesitate to contact us through the given email.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/