Cybersecurity

Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape

Mozilla on Tuesday announced security updates for both Firefox and Thunderbird, to address 20 vulnerabilities, including several memory safety issues.

Firefox 121 was released with patches for 18 vulnerabilities, five of which have a ‘high’ severity rating.

At the top of the list is CVE-2023-6856, a heap buffer overflow bug in WebGL, the JavaScript API for rendering interactive graphics within the browser.

“The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape,” Mozilla explains in its advisory.

Next in line is CVE-2023-6135, an issue rendering Network Security Services (NSS) NIST curves vulnerable to the Minerva side-channel attack, which could allow adversaries to recover the long-term private key.

Mozilla also resolved CVE-2023-6865, a bug potentially exposing uninitialized data in EncryptingOutputStream, which could be exploited to write data to a local disk, potentially impacting the private browsing mode.

The latest Firefox iteration also addresses multiple memory safety issues that are collectively tracked as CVE-2023-6873 and CVE-2023-6864. The latter also impacts Firefox ESR and Thunderbird.

Firefox 121 also resolves eight medium-severity flaws, including heap buffer overflow, use-after-free, and sandbox escape issues. The remaining five bugs are rated ‘low’ severity.

Advertisement. Scroll to continue reading.

On Tuesday, Mozilla announced the release of Thunderbird 115.6 with patches for 11 vulnerabilities, nine of which were addressed in Firefox as well.

The remaining two, both high-severity flaws, could allow attackers to spoof email messages (CVE-2023-50762), or spoof the time at which a message was sent (CVE-2023-50761).

Firefox ESR 115.6 was also released on Tuesday, with patches for 11 of the security defects that Firefox 121 resolves.

Mozilla makes no mention of any of these vulnerabilities being exploited in attacks. Additional information can be found on Mozilla’s security advisories page.

Related: Firefox, Chrome Updates Patch High-Severity Vulnerabilities

Related: Firefox 118 Patches High-Severity Vulnerabilities

Related: High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome