IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mozilla patches high-severity security flaws in new ‘speedy’ Firefox release

Numerous vulnerabilities across Mozilla's products could potentially lead to code execution and system takeover

Mozilla has released patches for 11 security vulnerabilities across its latest Firefox and Thunderbird versions, five of which have been assigned a ‘high’ severity rating.

The vulnerabilities affect the latest Firefox 105 version released this week as well as Firefox Extended Support Release (ESR) 102.3, and Mozilla’s open source email client Thunderbird 91.13.1.

One of the most serious bugs affects both the latest Firefox 105 and Firefox ESR browsers, potentially allowing for code execution.

The vulnerability, tracked as CVE-2022-40962, was discovered by Mozilla’s own Fuzzing Team which found memory corruption issues that could have been exploited to run arbitrary code “with enough effort”.

It’s not clear what this effort might entail but code execution is one of the most serious vulnerabilities that can affect a system, allowing attackers to execute a range of tasks such as installing malware, exfiltrating data, and stealing credentials.

Wider improvements to memory handling were one of the standout new features that Mozilla delivered to Firefox with the release of version 105 earlier this week, in a addition to an overall increase browser speed.

The browser’s stability is said to be improved thanks to the way in which it now handles low-memory situations better. Mozilla said Firefox is also now less likely to run out of memory on Linux, performing better on systems when system-wide memory is low.

Some of the other high-severity issues fixed involved a pair of vulnerabilities affecting Firefox 105 were fixed due to both of them leading to potentially exploitable crashes. 

In the case of CVE-2022-3266, an out-of-bounds read error could occur when a user tried to decode a video which was encoded with the popular H.264 file compression codec.

The other was a use-after-free issue again potentially causing an exploitable crash in situations where concurrent use of the browser’s URL parser with non-UTF-8 data was not thread-safe. Non-UTF-8 data refers to characters that cannot be encoded by the UTF-8 Unicode standard.

CVE-2022-40959 is a vulnerability in Firefox 105 that led to device permissions leaked to untrusted documents. This occurred when specific pages didn’t initialise their FeaturePolicy during iframe navigation.

The final high-severity flaw impacted Thunderbird and could potentially lead to JavaScript code execution.

Related Resource

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Whitepaper cover with BT logo and title, and businessman looking into the distanceFree Download

It could be exploited if a user replied to a specially crafted email containing a meta tag which had the ‘http-equiv=”refresh” attribute and the content attribute specifying an URL. In this scenario, Thunderbird would start a network request to that URL and when combined with other HTML elements and attributes, code execution could be achieved.

“The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email,” said Mozilla.

“The contents could then be transmitted to the network, either to the URL specified in the meta refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document.”

The US’ Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert pointing to the security advisories for Firefox and Thunderbird, advising users and system administrators to apply the necessary patches.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Mozilla adds paid tier, new features to developer network platform
web development

Mozilla adds paid tier, new features to developer network platform

25 Mar 2022

Most Popular

What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022