CISA urges organizations to update Firefox, Firefox ESR, and Thunderbird

CISA urges organizations to update Firefox, Firefox ESR, and Thunderbird

On 28th June 2022, The Mozilla Foundation has released patch to fix multiple vulnerabilities in Firefox, Firefox ESR, and Thunderbird.

  •  CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content. (Impact: High)
  • CVE-2022-34470: Use-after-free in nsSHistory. (Impact: High)
  • CVE-2022-34468: CSP sandbox header without “allow-scripts” can be bypassed via retargeted javascript: URI. (Impact: High)
  • CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution vulnerability. (Impact: Moderate)
  • CVE-2022-2226: An email with a mismatching OpenPGP signature date was accepted as valid. (Impact: Moderate)
  • CVE-2022-34481: Potential integer overflow in ReplaceElementsAt. (Impact: Moderate)
  • CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution. (Impact: Moderate)
  • CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1. (Impact: Moderate)
  •  CVE-2022-34474: Sandboxed IFrames could redirect to external schemes’. (Impact: Moderate)
  •  CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android. (Impact: Moderate)
  •  CVE-2022-34471: The compromised server could trick a browser into an addon downgrade. (Impact: Moderate)
  •  CVE-2022-34472 : Unavailable PAC file resulted in OCSP requests being blocked. (Impact: Moderate)
  •  CVE-2022-34478 : Microsoft protocols can be attacked if a user accepts a prompt. (Impact: Moderate)
  • CVE-2022-2200 : Undesired attributes could be set as part of the prototype pollution. (Impact: Moderate)
  •  CVE-2022-34480 : Free of an uninitialized pointer in lg_init.(Impact: Low)
  •  CVE-2022-34477 : MediaError message property leaked information on cross-origin same-site pages. (Impact: Low)
  •  CVE-2022-34475 : HTML Sanitizer could have been bypassed via same-origin script via use tags. (Impact: Low)
  •  CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags. (Impact: Low)
  •  CVE-2022-34484 : Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11. (Impact: High)
  •  CVE-2022-34485: Memory safety bugs fixed in Firefox 102. (Impact: Moderate)

On 29th June 2022 the US Cybersecurity and Infrastructure Security Agency (CISA) Mozilla released a security advisory encouraging all users and administrative in all organizations to apply the necessary patches for Firefox 102, Firefox ESR 91.11, Thunderbird 91.11, and Thunderbird 102 to fix these vulnerabilities.

Sources:

https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/

https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/

https://www.mozilla.org/en-US/security/advisories/mfsa2022-25/

https://www.cisa.gov/uscert/ncas/current-activity/2022/06/29/mozilla-releases-security-updates-firefox-firefox-esr-and

 

© 2021 BY CYBER LABS SERVICES (PVT) LTD

[email protected]

Sri Lanka Office:
No: 57/3 Flower Road, Colombo 07, Sri Lanka.

Melbourne Office:
No 08, Cubbie way Clyde, North Victoria 3978