HomeCII/OTMajor Security Risks Found in Mozilla Firefox & Thunderbird

Major Security Risks Found in Mozilla Firefox & Thunderbird

Published on

spot_img

The Indian Computer Emergency Response Team (CERT-In) has recently issued a vulnerability note (CIVN-2025-0016) that sheds light on a series of critical vulnerabilities affecting Mozilla products, namely Firefox and Thunderbird. These vulnerabilities, classified as high severity, have the potential to enable remote attackers to carry out spoofing attacks, disclose sensitive information, execute arbitrary code, or trigger denial of service (DoS) conditions on impacted systems.

Affected Software Versions:
According to the CERT-In note, the vulnerabilities in Mozilla products impact a range of software versions. Users of the following versions should exercise caution:

– Mozilla Firefox: Versions before 135
– Mozilla Firefox ESR: Versions before 115.20 and 128.7
– Mozilla Thunderbird: Versions before 135
– Mozilla Thunderbird ESR: Versions before 128.7

Given the critical nature of these vulnerabilities, it is strongly advised that organizations and individuals utilizing Mozilla Firefox or Thunderbird promptly update their software to mitigate any potential risks.

The vulnerabilities identified in Mozilla products encompass various issues, such as use-after-free errors, memory safety bugs, and certificate validation problems. These flaws introduce multiple vectors of attack, exposing systems to unauthorized access, system crashes, and potential data breaches.

Key Mozilla Vulnerabilities Identified:
1. Use-After-Free in XSLT: Reported as CVE-2025-1009, this vulnerability in the XSLT component of Mozilla products could lead to system destabilization and potential code execution.
2. Use-After-Free in Custom Highlight: CVE-2025-1010 pertains to the Custom Highlight API and could compromise system stability and security if exploited.
3. Memory Safety Bugs: Multiple instances of memory safety bugs (CVE-2025-1016, CVE-2025-1017, and CVE-2025-1020) pose a high risk of arbitrary code execution.
4. WebAssembly Code Generation Bug: CVE-2025-1011 points to a WebAssembly bug that may result in system crashes and code execution attacks.
5. Double-Free Vulnerability in PKCS#7 Decryption: CVE-2024-11704 highlights a double-free vulnerability in PKCS#7 decryption handling.
6. Private Browsing Tab Leak: CVE-2025-1013 could compromise user privacy by opening private browsing tabs in normal windows.
7. Email Sender Spoofing: CVE-2025-0510 enables email sender spoofing in Thunderbird, potentially undermining email authenticity.
8. Fullscreen Notification Issues: CVE-2025-1018 and CVE-2025-1019 address vulnerabilities related to fullscreen notifications, which could facilitate spoofing attacks.

The exploitation of these vulnerabilities, particularly through specially crafted web requests, could lead to a range of severe consequences for users, including unauthorized access, arbitrary code execution, and denial of service disruptions.

Mozilla has swiftly responded to these vulnerabilities by releasing security fixes across its product range. Users are strongly advised to install the latest updates to mitigate the risk posed by these vulnerabilities. By staying vigilant and maintaining up-to-date software, users can protect themselves against potential security threats and ensure the integrity of their systems.

Source link

Latest articles

AI-Generated Ransomware Exploits Chromium API on Windows and Android

Emergence of Browser-Only Ransomware Marks a New Era in Cyber Threats Cybersecurity researchers have identified...

Sandbox Bypass Vulnerabilities in Cursor IDE Spotlight Prompt Injection as a RCE Vector

Cursor, a prominent software company recently acquired by SpaceX for a staggering $60 billion...

Quantum Breakthroughs Compress Post-Quantum Computing Timeline

Next-Generation Technologies & Secure Development Microsoft, Google and AWS cite major...

TLS Certificate Lifetime Changes: Essential Actions for CISOs

Organizations Face Urgent TLS Certificate Management Challenges as Expiration Timelines Tighten As organizations increasingly navigate...

More like this

AI-Generated Ransomware Exploits Chromium API on Windows and Android

Emergence of Browser-Only Ransomware Marks a New Era in Cyber Threats Cybersecurity researchers have identified...

Sandbox Bypass Vulnerabilities in Cursor IDE Spotlight Prompt Injection as a RCE Vector

Cursor, a prominent software company recently acquired by SpaceX for a staggering $60 billion...

Quantum Breakthroughs Compress Post-Quantum Computing Timeline

Next-Generation Technologies & Secure Development Microsoft, Google and AWS cite major...