Thu. Feb 22nd, 2024



The Indian Computer Emergency Response Team (CERT-In) has issued an urgent warning to Mozilla Firefox users. The cyber watchdog has warned users regarding a series of critical vulnerabilities that can expose their devices to hacker attacks. These vulnerabilities have been listed on the CERT-In Vulnerability Note CIVN-2023-0348. The cybersecurity agency claims that these flaws pose a significant risk to the safety and performance of affected devices.
CERT-In has also explained that the outlined vulnerabilities have stemmed from various coding flaws.This can expose users to attackers who can take control of devices, steal sensitive data, or disrupt normal operations.
Mozilla Firefox vulnerabilities: Affected versions
The cybersecurity agency has also listed the versions of Mozilla’s Firefox browser that are exposed to security flaws. This includes:

  • Mozilla Firefox ESR versions before 115.5.0
  • Mozilla Firefox for iOS versions before 120
  • Mozilla Firefox versions before 120
  • Mozilla Thunderbird versions before 115.5

How these vulnerabilities can affect users
CERT-In notes that attackers can exploit these vulnerabilities by persuading victims to visit specially designed websites or opening malicious attachments. The warning also details the identified vulnerabilities in Mozilla Firefox. Here’s how they can be abused to attack users:
Out-of-bound memory access in WebGL2 blitFramebuffer: This flaw can allow attackers to crash affected browsers or execute arbitrary code.
Use-after-free vulnerabilities in MessagePort::Entangled and ReadableByteStreamQueueEntry::Buffer: These vulnerabilities may allow attackers to manipulate device memory and gain unauthorised access to sensitive information.
Clickjacking permission prompts using the fullscreen transition: This security flaw can enable attackers to trick users into granting permission for malicious websites. By doing this, the hacker can get access to sensitive information or perform actions without the user’s consent.
Selection API copying contents into X11 primary selection: This vulnerability allows attackers to steal sensitive information that has been copied to the clipboard.

Incorrect parsing of relative URLs starting with “III”: This bug can help attackers redirect users to malicious websites or bypass security measures.
Mixed-content resources not blocked in a javascript: pop-up: This flaw allows hackers to load insecure content on websites, which eventually compromises user security.
Clickjacking to load insecure pages in HTTPS-only mode: This vulnerability can enable attackers to bypass HTTPS security and load malicious content on websites.
Memory safety bugs: These bugs let attackers crash affected browsers or execute arbitrary code.
Privilege escalation through HTML injection in %READER-BYLINE% of ReaderMode: This flaw can enable attackers to inject malicious code into the browser’s ReaderMode. This bug also has the potential to compromise user security.





Source link