The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding security updates for Mozilla products, citing vulnerabilities in Firefox 114 and Firefox ESR 102.12. Cybercriminals could exploit these vulnerabilities to take control of unpatched server systems. The security updates were released on June 6, 2023, to address multiple vulnerabilities in Mozilla.
These vulnerabilities have been classified as having a high impact, with one of the fixed vulnerabilities, identified as CVE-2023-34414, involving clicking-jacking certificate exceptions through rendering lag. The updates also addressed memory safety vulnerabilities in Mozilla. There were several bugs in Firefox ESR 102.12 and Firefox 114 that could potentially lead to memory corruption and arbitrary code execution. Another vulnerability, CVE-2023-34415 with moderate impact, involved site-isolation bypass on sites that allow open redirects to data: URLs.
The Mozilla Foundation Security Advisories released on June 6 addressed fixes for both Firefox 114 and Firefox ESR 102.12. The vulnerabilities in Mozilla Firefox 114 were identified as CVE-2023-34414, CVE-2023-34415, CVE-2023-34416, and CVE-2023-34417. Meanwhile, the vulnerabilities in Mozilla Firefox ESR 102.12 were CVE-2023-34414 and CVE-2023-34416.
Regarding CVE-2023-34414, a site’s error page for invalid TLS certificates was missing the activation-delay used by Firefox to protect prompts and permission dialogs from attacks that exploit human response time delays. A user may accidentally click on a malicious page at a precise location before reaching a website that has a certificate error. In such scenarios, a gap may develop between the error page display, and if a user clicks within the space of that gap, the certificate error for the website can be overrided. This vulnerability was also associated with CVE-2023-34415, which allowed the URL from a redirect to load a document in the same process as the site that issued the redirect, opening doors to Spectre-like attacks on sites with open redirects.
CVE-2023-34416 was fixed in both Firefox 113 and Firefox ESR 102.11. Exploiting this bug resulted in memory corruption on unpatched devices, allowing hackers to run arbitrary codes in Mozilla Firefox products. CVE-2023-34417 referred to memory safety bugs that were fixed in Firefox 114. Researchers found that the exploitation of these bugs resulted in memory corruption that allowed arbitrary codes to run.
CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 114 and Firefox ESR 102.12 for more information and apply the necessary updates.
Previously, Kaspersky had noted several high-severity vulnerabilities in Mozilla Firefox. Exploiting the said vulnerabilities could enable hackers to spoof user interface and run arbitrary codes. Some of the vulnerabilities were also associated with causing a DoS attack. Mozilla Firefox versions before 112.0 had vulnerabilities, allowing malicious users to exploit them to cause DoS attacks, bypass security restrictions, gain access to sensitive information, and execute arbitrary codes.
Mozilla has yet to comment on the issue, and we will keep this news report updated based on their response. It’s important to keep your browser and software updated with the latest security patches to avoid being targeted by cybercriminals.