SB2022011114 - Multiple vulnerabilities in Mozilla Firefox

Description

This security bulletin contains information about 18 secuirty vulnerabilities.

1) Spoofing attack (CVE-ID: CVE-2022-22748)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

2) Buffer overflow (CVE-ID: CVE-2022-22751)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Security features bypass (CVE-ID: CVE-2022-22739)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing throttling on external protocol launch dialog. A malicious websites can trick users into accepting launching a program to handle an external URL protocol.

4) Unquoted Search Path or Element (CVE-ID: CVE-2022-22736)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unquoted search path in Firefox installer. A local user with ability to write files into the Firefox installation folder can place a specially crafted library and execute arbitrary code on the system.

The vulnerability affects Firefox for Windows in a non-default installation.

5) Input validation error (CVE-ID: CVE-2022-22747)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of empty pkcs7 sequence, passed as part of the certificate data. A remote attacker can pass specially crafted certificate to the application and perform a denial of service (DoS) attack.

6) OS Command Injection (CVE-ID: CVE-2022-22744)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "Copy as curl" feature in DevTools. A remote attacker can trick the victim to cope a specially crafted link and execute arbitrary commands on the system, if copied data is pasted into a Powershell prompt.

7) Information disclosure (CVE-ID: CVE-2022-22745)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Securitypolicyviolation events leak cross-origin information for frame-ancestors violations. A remote attacker can gain access to sensitive data.

8) Input validation error (CVE-ID: CVE-2022-22749)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of QR codes. When scanning QR codes, Firefox for Android allows navigation to some URLs that do not point to web content.

9) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2022-22746)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to a race condition when calling reportValidity. A remote attacker can trick the victim to open a specially crafted web page and bypass the fullscreen notification, which can lead to spoofing attack.

10) Security features bypass (CVE-ID: CVE-2022-22750)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Firefox passes resource handles across processes. A remote attacker can create a specially crafted web page that can confuse the higher privileged processes to interact with handles that the unprivileged process should not have access to.

The vulnerability affects Firefox installation on Windows and macOS only.

11) Security features bypass (CVE-ID: CVE-2021-4140)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in iframe sandbox implementation when processing XSLT markup. A remote attacker can bypass iframe sandbox and execute arbitrary JavaScript code in context of arbitrary window.

12) Use-after-free (CVE-ID: CVE-2022-22737)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition playing audio files. A remote attacker can construct a specially crafted audio skin, trigger a use-after-free error and execute arbitrary code on the system.

13) Heap-based buffer overflow (CVE-ID: CVE-2022-22738)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in blendGaussianBlur when applying CSS filter. A remote attacker can trick the victim to open a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Use-after-free (CVE-ID: CVE-2022-22740)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in ChannelEventQueue::mOwner when releasing a network request handle. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

15) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2022-22741)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error resizing a popup while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

16) Out-of-bounds write (CVE-ID: CVE-2022-22742)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input, when inserting text while in edit mode. A remote attacker can create a specially crafted website, trick the victim into opening it and insert specially crafted input in the edit mode, trigger out-of-bounds write and execute arbitrary code on the target system.

17) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2022-22743)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when navigating from inside an iframe while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

18) Buffer overflow (CVE-ID: CVE-2022-22752)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
• https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/