Mozilla patches high-severity security flaws in new ‘speedy’ Firefox release

Mozilla has released patches for 11 security vulnerabilities across its latest Firefox and Thunderbird versions, five of which have been assigned a ‘high’ severity rating.

The vulnerabilities affect the latest Firefox 105 version released this week as well as Firefox Extended Support Release (ESR) 102.3, and Mozilla’s open source email client Thunderbird 91.13.1.

One of the most serious bugs affects both the latest Firefox 105 and Firefox ESR browsers, potentially allowing for code execution.

The vulnerability, tracked as CVE-2022-40962, was discovered by Mozilla’s own Fuzzing Team which found memory corruption issues that could have been exploited to run arbitrary code “with enough effort”.

It’s not clear what this effort might entail but code execution is one of the most serious vulnerabilities that can affect a system, allowing attackers to execute a range of tasks such as installing malware, exfiltrating data, and stealing credentials.

Wider improvements to memory handling were one of the standout new features that Mozilla delivered to Firefox with the release of version 105 earlier this week, in a addition to an overall increase browser speed.

The browser’s stability is said to be improved thanks to the way in which it now handles low-memory situations better. Mozilla said Firefox is also now less likely to run out of memory on Linux, performing better on systems when system-wide memory is low.

Some of the other high-severity issues fixed involved a pair of vulnerabilities affecting Firefox 105 were fixed due to both of them leading to potentially exploitable crashes.

In the case of CVE-2022-3266, an out-of-bounds read error could occur when a user tried to decode a video which was encoded with the popular H.264 file compression codec.

The other was a use-after-free issue again potentially causing an exploitable crash in situations where concurrent use of the browser’s URL parser with non-UTF-8 data was not thread-safe. Non-UTF-8 data refers to characters that cannot be encoded by the UTF-8 Unicode standard.

CVE-2022-40959 is a vulnerability in Firefox 105 that led to device permissions leaked to untrusted documents. This occurred when specific pages didn’t initialise their FeaturePolicy during iframe navigation.

The final high-severity flaw impacted Thunderbird and could potentially lead to JavaScript code execution.

It could be exploited if a user replied to a specially crafted email containing a meta tag which had the ‘http-equiv=”refresh” attribute and the content attribute specifying an URL. In this scenario, Thunderbird would start a network request to that URL and when combined with other HTML elements and attributes, code execution could be achieved.

“The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email,” said Mozilla.

“The contents could then be transmitted to the network, either to the URL specified in the meta refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document.”

The US’ Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert pointing to the security advisories for Firefox and Thunderbird, advising users and system administrators to apply the necessary patches.