"Firefox 122 Patches 15 Vulnerabilities"

Mozilla recently announced security updates for both Firefox and Thunderbird to patch 15 vulnerabilities, including five rated "high severity." The first high-severity flaw is an out-of-bounds write in ANGLE (Almost Native Graphics Layer Engine), the open-source graphics engine used as the default WebGL backend in both Firefox and Chrome.  Tracked as CVE-2024-0741, Mozilla noted that the issue could be exploited to corrupt memory and cause a crash that could potentially lead to denial of service or arbitrary code execution.  The second issue, CVE-2024-0742, is described as a "failure to update user input timestamp," allowing the user to unintentionally activate or dismiss certain browser prompts and dialogs.  Other high-severity flaws Mozilla resolved include CVE-2024-0743, which exists because of an unchecked return value in TLS handshake code, CVE-2024-0744, a bug where JavaScript code could have dereferenced a wild pointer value, and CVE-2024-0745, a stack buffer overflow in WebAudio.  Mozilla noted that it also patched a medium-severity bug that "could have allowed an attacker to set an arbitrary URI in the address bar or history" and another where "a phishing site could have repurposed an about: dialog to show phishing content with an incorrect origin in the address bar."  Mozilla noted that all the remaining vulnerabilities are medium-severity flaws leading to crashes, bypass of Content Security Policy, permissions request bypass, privilege escalation, or HSTS policy bypass.  Firefox 122 was released on January 23 with patches for all 15 security defects.  Mozilla also pushed out Thunderbird 115.7 and Firefox ESR 115.7 with patches for nine of the bugs.  Mozilla did not mention if any of these vulnerabilities are being exploited in the wild. 

 

SecurityWeek reports: "Firefox 122 Patches 15 Vulnerabilities"

Submitted by Adam Ekwall on