Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws
Mozilla has emitted security updates for Firefox to address eight CVE-listed security flaws, five of them considered to be high-risk vulnerabilities.
The patches, present in Firefox 77, should be downloaded and installed automatically for most users, so if you haven’t closed out and relaunched your browser in a while, now might be a good time.
Of the five high-risk flaws, three are confirmed to allow arbitrary code execution, which in the case of a web browser means that simply loading up a malicious page could lead to malware running on your machine. As it turns out, all three of the code execution bugs were found in-house by Mozilla developers, rather than miscreants exploiting them in the wild, which is good news.
Iain Ireland took credit for uncovering CVE-2020-12406, a JavaScript type confusion error that occurs when handling NativeTypes. Devs Tom Tung and Karl Tomlinson shared credit for the discovery of the memory corruption bugs described in CVE-2020-12410, while Mozilla developers :Gijs and Randell Jesup found multiple memory corruption bugs that fell under the designation CVE-2020-12411.
While Mozilla did not say it had specifically seen proof of code in circulation allowing remote code execution for the bugs, it’s pretty sure that with a bit of effort an attacker could get a working exploit up and running for all of them.
Also getting the designation of high-risk vulnerability was CVE-2020-12399. Described as a timing attack in the NSS library, the flaw allows for key disclosure.
“NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys,” Mozilla explains.
Credit for the discovery went to Cesar Pereida Garcia and the Network and Information Security Group from Finland’s Tampere University.
Prepare to have your shonky password hygiene shamed by Firefox 76
The fifth of the high-risk flaws is CVE-2020-12405, discovered and reported by Marcin “Icewall” Noga of Cisco Talos. Mr. Icewall found a use after free bug in the SharedWorkService component that, when coded into a web page, would allow for what Mozilla termed an “exploitable crash”.
Of the remaining three CVE-entries, CVE-2020-12407 is the most serious. The moderate-rated flaw is a GPU memory leak bug that, interestingly enough, displays memory contents on the screen so that the local user can see them, but not to any web content. Credit for the discovery went to Mozilla developer Nicolas Silva.
CVE-2020-12408 and CVE-2020-12408 are both low-risk URL spoofing bugs discovered by independent researcher Rayyan Bijoora. In the case of 12408, the character spoofing is possible when displaying a URL hosted on an IP address (domain and path information can be spoofed) while 12409 allows spoofing by allowing blank unicode characters in a URL to be shown as spaces.
Talos details Zoom RCEs
Were you wondering why you recently had to update your Zoom software as well? A pair of reports from Cisco Talos might explain why. Unnamed researchers with the security firm laid claim to a pair of remote code execution flaws that were privately disclosed to Zoom and patched last month.
CVE-2020-6109 is an arbitrary file write vulnerability that arises when the Zoom client receives a chat message containing animated GIFs.
“A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution,” Talos explains. “An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.”
CVE-2020-1056 is also exploitable via specially crafted chat messages, this time with embedded code snippets.
“An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets,” Talos says. “A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution.”
In each case, the flaw can be shored up by updating to the latest version of the Zoom client.
Of course, that won’t do much to keep out the FBI or other law enforcement agencies, thanks to Zoom’s vow to never encrypt free calls. ®
Sponsored: Webcast: Ransomware has gone nuclear
READ MORE HERE