Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development
18 Firefox 96 Security Fixes Include High-Risk Issues
Update Contains Patches for 9 High-, 6 Medium- and 3 Low-Severity FlawsMozilla has released its latest Firefox browser version 96 with a host of new features and improvements for both desktop and mobile browsing. Mozilla has also fixed 18 security vulnerabilities, including 9 high-severity issues and 9 other medium- or low-severity flaws, according to the company's security advisory.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
The U.S. Cybersecurity and Infrastructure Security Agency has released an independent notification asking users and administrators to review Mozilla's security advisory and apply the necessary updates, as "an attacker could exploit some of these vulnerabilities to take control of an affected system."
The High-Impact Vulnerabilities
"The most concerning of the 18 security vulnerabilities is CVE-2022-22746," Paul Baird, the chief information security officer at Qualys, tells Information Security Media Group. This bug is a race condition that can allow bypassing of the full-screen notification, leading to a full-screen window spoofing, according to the security advisory.
Baird says that while this flaw is limited to FireFox on Windows, it could lead end users to click on malicious links or enter personally identifiable information on fake sites. "Patching this bug is very urgent," he says.
Mozilla attributed the finding of this vulnerability to security researcher Irvan Kurniawan, who also discovered three other high-impact security vulnerabilities in the previous version of Firefox that have now been registered as CVE-2022-22741, CVE-2022-22742 and CVE-2022-22743.
- CVE-2022-22741: This browser window spoof using full-screen mode prevents a pop-up window from leaving full-screen mode when resizing the pop-up while requesting full-screen access.
- CVE-2022-22742: This out-of-bound memory access flaw occurs while inserting text in edit mode. Some characters might lead to out-of-bounds memory access, causing a potentially exploitable crash, the security advisory says.
- CVE-2022-22743: This browser window spoofing vulnerability occurs while navigating from inside an iframe while requesting full-screen access. If exploited, an attacker-controlled tab can prevent users from leaving the full-screen mode.
The other high-impact issues patched in Firefox 96 include two use-after-free flaws - CVE-2022-22740 and CVE-2022-22737, a heap-buffer overflow - CVE-2022-22738, and an iframe sandbox bypass using XSLT - CVE-2021-4140, according to the security advisory.
Mozilla also fixed two memory safety bugs affecting Firefox 96, Firefox ESR 91.5 and Thunderbird 91.5:
- CVE-2022-22751 - A high-impact flaw;
- CVE-2022-22752 - A medium-impact flaw.
Less-Severe Yet Still Menacing Bugs
The medium-severity bugs in the browser include CVE-2022-22750, CVE-2022-22749, CVE-2022-22748, CVE-2022-22745 and CVE-2022-22744:
- CVE-2022-22750: This sandbox bypass vulnerability occurs when passing resource handles across processes in Firefox for both Windows and macOS.
- CVE-2022-22749: This flaw in Firefox for Android is caused by lack of URL restrictions while scanning QR codes.
- CVE-2022-22748: This is a spoofed origin on external protocol launch dialog.
- CVE-2022-22745: This is a leak of cross-origin URLs via securitypolicyviolation events.
- CVE-2022-22744: This command injection in the "Copy as curl" feature in DevTools vulnerability affects only the Firefox for Windows operating system.
Of the three low-severity vulnerabilities that Mozilla fixed in Firefox 96, CVE-2022-22747 security bug, represents "a prime case of a lack of proper input sanitization and fuzz testing for certificates," says Yana Blachman, threat intelligence specialist at Venafi. "In this instance, the bug causes problems for Firefox when, after accepting an untrusted certificate, handling an empty pkcs7 leads to the browser crashing. This is what makes this bug particularly interesting, because the certificate itself is tampered with in a way that can trigger a crash," Blachman tells ISMG.
Blachman says the fix is "a vital reminder of the importance of browser security and testing, and how rogue certificates can be used as payloads" to carry out attacks that affect users. While this flaw caused only minimal damage, she says, threat actors could further exploit this vulnerability.
Do Advisories Provide Sufficient Info?
Roger Grimes, data-driven defense evangelist at KnowBe4, says that Mozilla does not provide enough details in its security advisories for anyone to decide whether these bugs are really critical. "The biggest indicator of risk, beyond the actual ability of what the bug could allow, is if the vulnerability is either being currently exploited in the wild or soon likely to be exploited in the wild. CISA has stated that less than 4% of announced vulnerabilities are ever exploited in the wild. That means that 96% of disclosed vulnerabilities really are not high-risk. Are these bugs going to be in the true high-risk group or not? We do not know. Mozilla is not telling us," Grimes says.
He says Mozilla should provide "comprehensive risk ratings" so that stakeholders can evaluate the real risk of each bug for themselves. "Simply saying impact is 'high' is not enough anymore."
But John Shier, senior security officer at Sophos, says that in Firefox and most other modern browsers, users do not have to prioritize their patch application. "The automatic update feature, which has been available for over a decade, ensures that you are always on the latest version of the software." He recommends applying all patches because "each vulnerability presents an opportunity to an attacker."