Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws

Mozilla has emitted security updates for Firefox to address eight CVE-listed security flaws, five of them considered to be high-risk vulnerabilities.

The patches, present in Firefox 77, should be downloaded and installed automatically for most users, so if you haven't closed out and relaunched your browser in a while, now might be a good time.

Of the five high-risk flaws, three are confirmed to allow arbitrary code execution, which in the case of a web browser means that simply loading up a malicious page could lead to malware running on your machine. As it turns out, all three of the code execution bugs were found in-house by Mozilla developers, rather than miscreants exploiting them in the wild, which is good news.

Iain Ireland took credit for uncovering CVE-2020-12406, a JavaScript type confusion error that occurs when handling NativeTypes. Devs Tom Tung and Karl Tomlinson shared credit for the discovery of the memory corruption bugs described in CVE-2020-12410, while Mozilla developers :Gijs and Randell Jesup found multiple memory corruption bugs that fell under the designation CVE-2020-12411. While Mozilla did not say it had specifically seen proof-of-concept code in circulation exploiting the bugs, it's pretty sure that with a bit of effort a miscreant could get a working exploit up and running from reading the source changes – so patch away.

Another high-risk vulnerability is CVE-2020-12399. Described as a timing attack in the NSS library, used to secure HTTPS connections, the flaw can be exploited to disclose keys. "NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys," Mozilla explained.

Credit for the discovery went to Cesar Pereida Garcia and the Network and Information Security Group at Finland's Tampere University.

The fifth of the high-risk flaws is CVE-2020-12405, discovered and reported by Marcin "Icewall" Noga of Cisco Talos. Noga found a use-after-free() bug in the SharedWorkService component that, when exploited by a web page, would cause what Mozilla termed a potentially "exploitable crash."

Of the remaining three CVE-entries, CVE-2020-12407 is the most serious. The moderate-rated flaw is a GPU memory leak bug that, interestingly enough, displays memory contents on the screen so that the local user can see them, but not to any web content. Credit for the discovery went to Mozilla developer Nicolas Silva.

CVE-2020-12408 and CVE-2020-12409 are both low-risk URL spoofing bugs discovered by independent researcher Rayyan Bijoora.

Talos details Zoom RCEs

Were you wondering why you recently had to update your Zoom software as well? A pair of advisories by Cisco Talos may explain why. Unnamed researchers with the security firm laid claim to a pair of remote code execution flaws that were privately disclosed to Zoom by the team, and patched last month.

CVE-2020-6109 is an arbitrary file write vulnerability that arises when the Zoom client receives a chat message containing animated GIFs.

"A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution," Talos explained. "An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability."

CVE-2020-6110 is also exploitable via specially crafted chat messages, this time with embedded code snippets.

"An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets," Talos said. "A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution."

In each case, the flaw can be shored up by updating to the latest version of the Zoom client. Of course, that won't do much to keep out the FBI or other snooping government agencies, thanks to Zoom's vow to not end-to-end encrypt free calls. ®