Firefox Bug Opens iPhone AirPods to Third-Party Snooping

Mozilla Foundation snuffs out bugs with the introduction of Firefox 74 and ESR 68.6.

Five high-severity bugs were fixed in the Firefox web browser with the release of version 74 by the Mozilla Foundation on Tuesday. In addition, Mozilla reported a quirky moderate-severity flaw that allows hackers to target iPhone users and collect data tied to connected AirPods, if in use.

In total, 12 bugs were patched with six rated as moderate severity and one low-severity bug.

This month’s most serious vulnerabilities addressed flaws ranging from two memory out-of-bounds issues to two use-after-free bugs. Also on Tuesday, the browser maker released a new corporate version of its browser, Firefox ESR 68.6. This browser update shared four of the high-severity bug fixes and three medium severity bug patches.

“While none have been seen exploited in the wild yet, the time to weaponization averages 7 days. And with Firefox’s increasing market growth in the enterprise market, leaving any devices unpatched could lead to a security incident,” wrote Richard Melick, sr. technical product manager at the patch-management firm Automox in a prepared statement.

While rated moderate, Melick identified a Firefox flaw (CVE-2020-6812) impacting iPhone users in a novel way. “[This is] a vulnerability that would allow a website with camera or microphone access to gather information on the user through the connected AirPods,” wrote the researcher.

“The first time AirPods are connected to an iPhone, they become named after the user’s name by default (e.g. Jane Doe’s AirPods.),” wrote Mozilla. “Websites with camera or microphone permission are able to enumerate device names, disclosing the user’s name.”

Mozilla said, to patch the issue, a special case instance that renames devices containing the substring ‘AirPods’ to simply ‘AirPods’ was added to the Firefox 74 code. Credited for discovering the iPhone-related vulnerability is Jan-Ivar Bruaroey.

Other high-severity bugs singled out by Automox that could “lead to memory corruption and escalation of privileges on a victim’s endpoint” include memory and script safety bugs – tracked as CVE-2020-6805, CVE-2020-6807, CVE-2020-6814 and CVE-2020-6815.

“Some of these bugs showed evidence of memory corruption or escalation of privilege and we presume that with enough effort some of these could have been exploited to run arbitrary code,” conferred Mozilla describing the memory and script safety bugs fixed in Firefox 74.

Another interesting bug, tracked as CVE-2020-6810 and rated medium severity, can be abused by a malicious website that tricks users into opening a dangerous popup that mimics the browser in full-screen mode. The technique would hide the fact that the browser was in full-screen mode by obscuring notifications and spoofing the browser’s chrome. Chrome is a generic term that describes a browser’s top interface that surrounds user data and web page content. This opens the door for an attacker to mask the fact a victim might be on an insecure or malicious website.

Avi Drissman of the Chrome security team is credited for discovering the bug, (CVE-2020-6810) described as: “focusing a popup while in fullscreen could have obscured the fullscreen notification.”

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles