Mozilla endeavors to play safe for its browsers by fixing the flaws as it spots them. Once again, Mozilla has patched critical vulnerabilities in Firefox and Firefox ESR browsers that potentially posed a serious security threat.
Mozilla Spotted Critical Vulnerabilities In Firefox Browsers
As disclosed in its security advisory, Mozilla patched two critical flaws in its Firefox browsers. The vulnerabilities allegedly affected Firefox and Firefox ESR posing a serious security threat. These vulnerabilities in Firefox browsers could allow an attacker to exploit sandboxed content processes.
The first vulnerability that Mozilla reports relates to Type confusion in JavaScript, which received CVE number CVE-2018-12386, attaining a critical severity level. While describing how it would trigger a remote attack, Mozilla explained:
“A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered.”
Whereas, the second vulnerability, “stack out-of-bounds read in Array.prototype.push” (as named by RedHat), could leak memory address triggering an attack. As explained in Mozilla’s advisory regarding the CVE-2018-12387 flaw,
“A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.”
Patched Versions Released
The vendors came to know of the said vulnerabilities after receiving reports from three different researchers via the SecuriTeam Secure Disclosure program by Beyond Security. Consequently, Mozilla patched the bugs in its latest browser versions, Firefox 62.0.3 and Firefox ESR 60.2.2. Thus, users of Firefox and Firefox ESR browsers could protect themselves from these vulnerabilities by simply updating the patched versions.
Mozilla appeared pretty active this week as it patched multiple security flaws in various products. Right after these fixes, the vendors also released several patches for the vulnerabilities affecting Mozilla’s email client, Thunderbird.
Take your time to comment on this article.