"High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome"

Mozilla and Google recently announced the release of stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues.  Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated "high severity," four of which are described as memory corruption bugs affecting the browser's IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components.  The first three flaws are tracked as CVE-2023-4573, CVE-2023-4574, and CVE-2023-4575 and could have led to a use-after-free, causing a potentially exploitable crash.  The fourth vulnerability tracked as CVE-2023-4577, could have led to a potentially exploitable crash as well.  Mozilla noted that it also patched a high-severity integer overflow (CVE-2023-4576) in the RecordedSourceSurfaceCreation component of Firefox for Windows, resulting in "a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape."  Mozilla stated that Firefox 117 also addresses multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-4584 and CVE-2023-4585 and which also impact Firefox ESR and Thunderbird.  The remaining six issues addressed with this browser release are medium and low-severity vulnerabilities that could lead to site spoofing, sensitive information leaks, the download of files without a warning of their potential harm, a buffer overflow, or browser context not being cleared when closing a private window.  Mozilla also announced the release of Firefox ESR 115.2 with patches for 14 vulnerabilities, including 12 resolved in Firefox 117.  Additionally, Mozilla released Firefox ESR 102.15 recently with patches for six vulnerabilities.  Google stated that the recent Chrome update resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Google noted that such issues may often be exploited to escape Chrome's sandbox and achieve remote code execution if combined with other vulnerabilities.  Mozilla and Google make no mention of any of these flaws being exploited in attacks.

SecurityWeek reports: "High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome"