Mozilla has released security updates for Firefox, Firefox ESR (CVE-2022-22746), and mailing client Thunderbird. There are 18 vulnerabilities in Firefox,14 vulnerabilities in Firefox ESR, and in Thunderbird 14 vulnerabilities were found and fixed. The advisories for these products have been rated high severity. Most of these vulnerabilities could lead to Race-Condition, Fullscreen access, out-of-bounds memory access, Use-after-free, heap buffer overflow, Iframe sandbox bypass with XSLT. A vulnerability management tool can prevent such attacks from happening.
Out of the above vulnerabilities, the most severe one is a race condition issue tracked as CVE-2022-22746. The vulnerability only impacts Firefox for Windows operating systems. A race condition could have allowed bypassing the fullscreen notification, which could have lead to a fullscreen window spoof being unnoticed. Another vulnerability is a fullscreen spoof in the Firefox browser window tracked as CVE-2022-22743. The vulnerability can allow an attacker-controlled tab to prevent the browser from leaving fullscreen mode when the user navigates from inside an iframe. One more vulnerability is an out-of-bounds memory access leading to a potentially exploitable crash, and the flaw has been tracked as CVE-2022-22742. Deploying patches will be easier with a patch management tool.
Mozilla Security Updates Summary for January 2022
Product: Mozilla Firefox
Advisory/CVEs: MFSA2022-01 , CVE-2022-22746 , CVE-2022-22743 , CVE-2022-22742 , CVE-2022-22741 , CVE-2022-22740 , CVE-2022-22738 , CVE-2022-22737 , CVE-2021-4140 , CVE-2022-22750 , CVE-2022-22749 , CVE-2022-22748 , CVE-2022-22745 , CVE-2022-22744 , CVE-2022-22747 , CVE-2022-22736 , CVE-2022-22739 , CVE-2022-22751 , CVE-2022-22752
Severity: High
Impact: Race condition, Fullscreen access, Out-of-bounds memory access, Use-after-free, Heap buffer overflow, Iframe sandbox bypass with XSLT.
Product: Mozilla Firefox ESR
Advisory/CVEs: MFSA2022-02 , CVE-2022-22746 , CVE-2022-22743 , CVE-2022-22742 , CVE-2022-22741 , CVE-2022-22740 , CVE-2022-22738 , CVE-2022-22737 , CVE-2021-4140, CVE-2022-22748 , CVE-2022-22745 , CVE-2022-22744 , CVE-2022-22747 , CVE-2022-22739 , CVE-2022-22751
Severity: High
Impact: Race condition, Fullscreen access, Out-of-bounds memory access, Use-after-free, Heap buffer overflow, Iframe sandbox bypass with XSLT.
Product: Mozilla Thunderbird
Advisory/CVEs: MFSA2022-02 , CVE-2022-22746, CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737 , CVE-2022-22748, CVE-2022-22745, CVE-2022-22744,CVE-2022-22747,CVE-2022-22739,CVE-2022-22751
Severity: High
Impact: Race condition, fullscreen access, Out-of-bounds memory access, Use-after-free, Heap buffer overflow, Iframe sandbox bypass with XSLT.
Affected Products by CVE-2022-22746:
1. Mozilla Firefox below 96.0
2. Mozilla Firefox ESR below 91.5 and
3. Mozilla Thunderbird below 91.5
Solution:
1. Mozilla Firefox 96.0
2. Mozilla Firefox ESR 91.5
3. Mozilla Thunderbird 91.5
SanerNow VM and SanerNow PM detect these vulnerabilities and automatically fix them by applying security updates. Use SanerNow and keep your systems updated and secure.