Mozilla patches critical zero-day and high severity vulnerabilities in Firefox

  • Post author:
  • Reading time:5 mins read


Mozilla released two consecutive security advisories to address the vulnerabilities in Firefox and Firefox ESR. The latter is a critical advisory claiming that Mozilla is aware of in-the-wild attacks for a type confusion vulnerability. However, there are no details about the specific threat actor(s) abusing the aforementioned vulnerability. Detect vulnerabilities with the help of a vulnerability management tool.

Mozilla’s release of Firefox version 72 includes protection against browser fingerprinting. Browser fingerprinting is an incredibly accurate method that allows the identification of browsers and tracking of online activity. This method can also be used by websites to collect information such as browser type and version, operating system version, active plugins, timezone, screen resolution, etc. Mozilla states that

"Firefox 72 protects users against fingerprinting by blocking all third-party requests
 to companies that are known to participate in fingerprinting."

Mozilla Firefox Zero-Day: CVE-2019-17026

CVE-2019-17026 is a security issue that has been classified as type confusion (CWE-843). The flaw exists in IonMonkey, the JavaScript JIT compiler for SpiderMonkey, the first written JavaScript engine. The type confusion issue arises due to incorrect alias information in IonMonkey for setting array elements. This vulnerability can be abused by an attacker to execute arbitrary code or cause a potential crash.


Vulnerabilities fixed in MFSA (2020-01 and 2020-02)

High-Severity Vulnerabilities
Five vulnerabilities in Firefox and four in Firefox ESR were regarded high in severity. A summary of these high severity vulnerabilities is given below:

  • CVE-2019-17015: A memory corruption bug that arises in the parent process during new content process initialization on Windows. An attacker can manipulate a pointer offset to cause memory corruption and a potentially exploitable crash in the parent process.

  • CVE-2019-17016: This flaw exists because the CSS sanitizer incorrectly rewrites a @namespace rule when pasting a <style> tag from the clipboard into a rich text editor, which allows injection in certain websites. An attacker could exploit this vulnerability to exfiltrate data.

  • CVE-2019-17017: A type confusion issue in XPCVariant.cpp due to a missing case handling object types. This bug can be exploited to crash the application or even execute arbitrary code.

  • CVE-2019-17024: A set of memory safety bugs that showed evidence of memory corruption and could allow execution of arbitrary code.

  • CVE-2019-17025: Another set of memory safety bugs exclusive to Firefox, which could be exploited to run arbitrary code.

Moderate-Severity Vulnerabilities

CVE-2019-17021 and CVE-2019-17022 are the moderate severity bugs fixed in Firefox and Firefox ESR.

  • CVE-2019-17021: A race condition that occurs during the initialization of a new content process leads to a heap address disclosure from the parent process. This bug only affects Windows systems.

  • CVE-2019-17022: CSS sanitizer fails to escape the HTML tags, which could lead to an XSS vulnerability

CVE-2019-17018, CVE-2019-17019 , and CVE-2019-17020 are the other moderate severity bugs fixed in Firefox, which could retain word suggestions in private browsing mode, execute Python files on download and bypass restrictions of the Content Security Policy respectively.


Affected Products

Mozilla Firefox before version 72.0.1

Mozilla Firefox ESR before 68.4.1


Solution

Please refer to this KB Article to apply the patches using SanerNow.


SecPod Saner detects these vulnerabilities and automatically fixes them by applying security updates. Download Saner now and keep your systems updated and secure.