23 September 2020

Mozilla fixed three high-severity flaws with Firefox 81 release


Mozilla fixed three high-severity flaws with Firefox 81 release

Mozilla has patched three high-severity vulnerabilities with the release of Firefox 81 and Firefox Extended Support Release (ESR) 78.3. Some of the flaws could be exploited to run arbitrary code.

Two critical bugs (CVE-2020-15674 and CVE-2020-15673) were errors in the browser’s memory-safety protections, which prevent memory access issues like buffer overflows. CVE-2020-15674 was discovered in Firefox 80 and reported by Byron Campen and Christian Holler, while CVE-2020-15673 was found in Firefox 80 and Firefox ESR 78.2 and reported by Jason Kratzer.

“Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” said Mozilla in a security advisory.

Mozilla classified these flaws as issues “that can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

With the release of Firefox 81 was also fixed a third high-severity flaw (CVE-2020-15675) in its implementation of Web Graphics Library (WebGL), a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser. It is a use-after-free vulnerability and related to the incorrect use of dynamic memory. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. In Firefox’s case, when processing surfaces for WebGL, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. The flaw was reported by Brian Carpenter.

Back to the list

Latest Posts

Maze ransomware gang prepares for shut down

Maze ransomware gang prepares for shut down

The Maze group had stopped encrypting new victims in September 2020, and is now trying to get the last payments from their victims.
29 October 2020
Iranian hackers targeted “high profile” security conference attendees

Iranian hackers targeted “high profile” security conference attendees

The attacks involved spoofed emails with invitations ostensibly sent from organizers of the Munich Security Conference and the Think 20 Summit in Saudi Arabia.
29 October 2020
US authorities warn of a global North Korean cyber espionage operation

US authorities warn of a global North Korean cyber espionage operation

The group is focused on gathering intelligence on foreign policy and national security issues related to the Korean peninsula.
29 October 2020