"Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape"
Mozilla recently announced security updates for Firefox and Thunderbird to address 20 vulnerabilities, including several memory safety issues. Firefox 121 was released with patches for 18 vulnerabilities, five of which have a high severity rating. The most severe vulnerability is CVE-2023-6856, a heap buffer overflow bug in WebGL, the JavaScript API for rendering interactive graphics within the browser. This vulnerability could allow an attacker to perform remote code execution and sandbox escape. The next most severe vulnerability is CVE-2023-6135, an issue rendering Network Security Services (NSS) NIST curves vulnerable to the Minerva side-channel attack, which could allow adversaries to recover the long-term private key. Mozilla also resolved CVE-2023-6865, a bug potentially exposing uninitialized data in EncryptingOutputStream, which could be exploited to write data to a local disk, potentially impacting the private browsing mode. Mozilla noted that the latest Firefox iteration also addresses multiple memory safety issues that are collectively tracked as CVE-2023-6873 and CVE-2023-6864. The latter also impacts Firefox ESR and Thunderbird. Firefox 121 also resolves eight medium-severity flaws, including heap buffer overflow, use-after-free, and sandbox escape issues. The remaining five bugs are rated as low severity. Mozilla released Thunderbird 115.6, which patches 11 vulnerabilities, nine of which were also addressed in Firefox. The remaining two, both high-severity flaws, could allow attackers to spoof email messages (CVE-2023-50762) or spoof the time at which a message was sent (CVE-2023-50761). Mozilla did not mention if any of these vulnerabilities are being exploited in attacks.