Mozilla patched high-severity vulnerabilities with the release of Firefox 81 and Firefox ESR 78.3, including several that could be exploited to run arbitrary code.
Two severe bugs (CVE-2020-15674 and CVE-2020-15673) are errors in the browser’s memory-safety protections, which prevent memory access issues like buffer overflows. CVE-2020-15674 was reported in Firefox 80, while CVE-2020-15673 was reported in Firefox 80 and Firefox ESR 78.2. Firefox ESR (Extended Support Release) is a Firefox version that’s based on an official release for desktop, for use by organizations who need extended support for mass deployments.
“Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” according to a Mozilla Foundation security advisory, released on Tuesday.
Details are scant regarding where specifically these two high-severity flaws exist and how difficult they are in terms of exploitability; however, Mozilla classifies high-severity flaws as issues “that can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”
Mozilla developers Jason Kratzer (CVE-2020-15673) and Byron Campen and Christian Holler (CVE-2020-15674) were credited with reporting the flaws.
The release of Firefox 81 also fixed a third and final high-severity flaw in its implementation of Web Graphics Library (WebGL), a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser.
This bug (CVE-2020-15675) is a use-after-free issue, which is a type of vulnerability related to the incorrect use of dynamic memory. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. In Firefox’s case, when processing surfaces for WebGL, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash.
Brian Carpenter (via the ASAN Nightly project), who was credited with reporting the flaw, told Threatpost via email that it was introduced during a recent re-factoring of WebGL code.
“It would be hard but not impossible to exploit,” he told Threatpost. “An attacker would need to construct a situation that replaced the persistent buffer memory with something else.”
The remainder of flaws fixed in Firefox 81 are moderate in severity. These include a download-origin spoofing flaw (CVE-2020-15677) that could be exploited by an attacker impersonating a site displayed in the download file dialog; a cross-site scripting flaw (CVE-2020-15676) that could allow JavaScript to be executed after pasting attacker controlled data into a content-editable element; and another use-after-free flaw (CVE-2020-15678).
Threatpost has reached out to Mozilla for further details on whether any of these flaws were exploited in the wild.
On the privacy front, Firefox 81 also now reportedly highlights if an installed extension has control over the “Ask to save logins and passwords for websites” setting. This exists in the browser’s Logins and Passwords function (under about:preferences#privacy).
Firefox browser bugs have been in the spotlight lately; recently, for instance, a vulnerability in Firefox for Android was discovered that paves the way for an attackers to launch websites on a victim’s phone, with no user interaction. The attack manifests in the form of a Firefox browser window on the target device suddenly launching, without users’ permission.
Earlier this year, Mozilla also patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. The flaws, both use-after-free bugs, have been part of “targeted attacks in the wild.”