The Indian Computer Emergency Response Team (CERT-In) has recently issued a vulnerability note (CIVN-2025-0016) that sheds light on a series of critical vulnerabilities affecting Mozilla products, namely Firefox and Thunderbird. These vulnerabilities, classified as high severity, have the potential to enable remote attackers to carry out spoofing attacks, disclose sensitive information, execute arbitrary code, or trigger denial of service (DoS) conditions on impacted systems.
Affected Software Versions:
According to the CERT-In note, the vulnerabilities in Mozilla products impact a range of software versions. Users of the following versions should exercise caution:
– Mozilla Firefox: Versions before 135
– Mozilla Firefox ESR: Versions before 115.20 and 128.7
– Mozilla Thunderbird: Versions before 135
– Mozilla Thunderbird ESR: Versions before 128.7
Given the critical nature of these vulnerabilities, it is strongly advised that organizations and individuals utilizing Mozilla Firefox or Thunderbird promptly update their software to mitigate any potential risks.
The vulnerabilities identified in Mozilla products encompass various issues, such as use-after-free errors, memory safety bugs, and certificate validation problems. These flaws introduce multiple vectors of attack, exposing systems to unauthorized access, system crashes, and potential data breaches.
Key Mozilla Vulnerabilities Identified:
1. Use-After-Free in XSLT: Reported as CVE-2025-1009, this vulnerability in the XSLT component of Mozilla products could lead to system destabilization and potential code execution.
2. Use-After-Free in Custom Highlight: CVE-2025-1010 pertains to the Custom Highlight API and could compromise system stability and security if exploited.
3. Memory Safety Bugs: Multiple instances of memory safety bugs (CVE-2025-1016, CVE-2025-1017, and CVE-2025-1020) pose a high risk of arbitrary code execution.
4. WebAssembly Code Generation Bug: CVE-2025-1011 points to a WebAssembly bug that may result in system crashes and code execution attacks.
5. Double-Free Vulnerability in PKCS#7 Decryption: CVE-2024-11704 highlights a double-free vulnerability in PKCS#7 decryption handling.
6. Private Browsing Tab Leak: CVE-2025-1013 could compromise user privacy by opening private browsing tabs in normal windows.
7. Email Sender Spoofing: CVE-2025-0510 enables email sender spoofing in Thunderbird, potentially undermining email authenticity.
8. Fullscreen Notification Issues: CVE-2025-1018 and CVE-2025-1019 address vulnerabilities related to fullscreen notifications, which could facilitate spoofing attacks.
The exploitation of these vulnerabilities, particularly through specially crafted web requests, could lead to a range of severe consequences for users, including unauthorized access, arbitrary code execution, and denial of service disruptions.
Mozilla has swiftly responded to these vulnerabilities by releasing security fixes across its product range. Users are strongly advised to install the latest updates to mitigate the risk posed by these vulnerabilities. By staying vigilant and maintaining up-to-date software, users can protect themselves against potential security threats and ensure the integrity of their systems.