* Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing. * Mozilla Firefox ESR versions prior to 52.7.2 * Mozilla Firefox versions prior to 59.0.1 Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Depending on the privileges associated with the user, an attacker could then install programs view, change, or delete data or create new accounts with full user rights. Impact: Successful exploitation of these vulnerabilities could allow for remote code execution. Specifically, this issue occurs due to an out-of-bounds write error in the ‘libtremor’ library. * A remote code-execution vulnerability exists because it fails to properly process Vorbis audio data. Specifically, this issue occurs due to an out-of-bounds write error in the ‘libvorbis’ library. Details of the vulnerabilities are as follows: On Linux and the BSDs, if you are relying on the version of Firefox packaged by your distribution, check with your distro maker for the latest version they’ve published.įollow on Twitter for the latest computer security news.Description: Multiple vulnerabilities have been discovered in MozillaFirefox and Firefox Extended Support Release (ESR), which could allow for remote code execution. On your mobile phone, check with Google Play or the Apple App Store to ensure you’ve got the latest version. If not, the About window will prompt you to download and activate the needed update – you are looking for 104.0, or ESR 102.2, or ESR 91.13, depending on which release series you are on. On desktops or laptops, go to Help > About Firefox to check if you’re up-to-date. …could end up with security permissions “borrowed” from parent window Y that you would not expect to be passed on (and that you would not knowingly grant) to X, including access to your webcam and microphone. In the second bug, web content from an untrusted site X shown in a sub-window (an IFRAME, short for inline frame) within a trusted site Y… In the first bug, Firefox could be lured into presenting content served up from an unknown and untrusted site as if it had come from a URL hosted on a server that you already knew and trusted. CVE-2022-38473: Cross-origin XSLT Documents would have inherited the parent’s permissions.Īs you can imagine, these bugs mean that rogue content fetched from an otherwise innocent-looking site could end up with Firefox tricking you into trusting web pages that you shouldn’t.CVE-2022-38472: Address bar spoofing via XSLT error handling.The two specific and apparently-related vulnerabilities that made the High category this month were: The reason there are two ESRs at any time is to provide a substantial double-up period between versions, so you are never stuck with taking on new features just to get security fixes – there’s always an overlap during which you can keep using the old ESR while trying out the new ESR to get ready for the necessary switchover in the future. Similarly, for ESR 91.13, we have 91+13 = 104, to make it clear that although version 91 is still back at the feature set from about a year ago, it’s up-to-the-moment as far as security patches are concerned. So, for ESR 102.2, we have 102+2 = 104 (the current leading-edge version). The ESR version numbers combine to tell you what feature set you have, plus how many security updates there have been since that version came out. ESR demystifiedĪs we’ve explained before, Firefox Extended Support Release is aimed at conservative home users and at corporate sysadmins who prefer to delay feature updates and functionality changes, as long as they don’t miss out on security updates by doing so. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2022-38478 covers additional bugs that exist in the Firefox code going back to version 91, because that’s the basis of the secondary Extended Support Release, which now stands at ESR 91.13.Īs usual, Mozilla is plain-speaking enough to make the simple pronouncement that:.CVE-2022-38477 covers bugs that affect only Firefox builds based on the code of version 102 and later, which is the codebase used by the main version, now updated to 104.0, and the primary Extended Support Release version, which is now ESR 102.2.As usual, the Mozilla team assigned two overarching CVE numbers to bugs that they found-and-fixed using proactive techniques such as fuzzing, where buggy code is automatically probed for flaws, documented, and patched without waiting for someone to figure out just how exploitable those bugs might be:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |