CERT-in issued a warning for high severity security flaws in specific Mozilla Firefox versions, enabling remote code execution and Information Disclosure. Users advised to update browsers promptly with security patches.
The Computer Emergency Response Team (
CERT-in
) has issued a new
warning
for
Mozilla Firefox web browser
. The government body, in a recent post, has mentioned that they have found multiple
security flaws
within select versions of the browser and has classified it as a ‘high severity warning.
What government has said
CERT-In has mentioned that they have found multiple
vulnerabilities
within Mozilla products, including Firefox browser.
The security flaws, when exploited, can allow a remote attacker to perform remote code execution, Information Disclosure, security restriction bypass and cause denial of service conditions on the targeted system.
This means, hackers can use the security flaws to access important data stored in the system which includes login credentials and financial information, among others.
Versions affected
- Mozilla Firefox ESR versions prior to 115.9
- Mozilla Firefox versions prior to 124
- Mozilla Thunderbird versions prior to 115.9
Why these bugs exist
As per the report, these vulnerabilities exist in several Mozilla products due to the ‘Windows Error Reporter’ that can be used as a Sandbox escape vector. Apart from this, CERT-In has also provided a long list of reasons why these vulnerabilities are present in these Mozilla products.
“These vulnerabilities exist in Mozilla Products due to Windows Error Reporter could be used as a Sandbox escape vector; Mishandling of WASM register values; JIT code failed to save return registers on Armv7-A; Integer overflow could have led to out of bounds write; NSS susceptible to timing attack against RSA decryption; Permission prompt input delay could expire when not in focus; Improper handling of HTML and body tags enabled CSP nonce leakage; Clickjacking vulnerability could have led to a user accidentally granting permissions; Self-referencing object could have potentially led to a use-after-free: Improper handling of QUIC ACK frame data could have led to OOM; Crash in NSS TLS method; Improve handling of out-of-memory conditions in ICU and Memory safety bugs. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially-crafted website”, reads the post.
What users can do
CERT-In has advised Mozilla users to install security updates that have started to roll out. It is also advised that users should update their browsers as and when the security updates for them are released by the companies.
English (US) ·