Firefox, Thunderbird, receive patches for critical security issues

Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine (shared by the Firefox-based Tor browser) relate to Firefox 100.0.2, Firefox for Android 100.3.0, and Firefox ESR 91.9.1. For users of Thunderbird, the vulnerability there is in relation to Thunderbird 91.9.91.

Additionally, there is some fallout beyond the standard versions of Firefox and Thunderbird. Users of the anti-surveillance Tails Operating System have been warned to stop using the bundled Tor browser until a fix goes live. This is because it could be potentially vulnerable to CVE-2022-1802:

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

The fix for this Tails issue may not be seen until at least version 5.1. At time of writing, the expected release date for this is May 31.

The vulnerabilities

The two issues come with the following description:

CVE-2022-1802 is a critical prototype pollution vulnerability. According to Mozilla, an attacker who was able to corrupt the methods of an Array object in JavaScript via prototype pollution, could have executed malicious JavaScript code in a privileged context.

CVE-2022-1529 is another critical prototype pollution vulnerability. In this case, Mozilla says that untrusted user input was used in object indexing, leading to prototype pollution, which could have allowed an attacker to execute malicious JavaScript code in a privileged context.

Update now, if you haven’t already

Most installations of Thunderbird and Firefox will be set to update by default. If this is the case, you should already have the security fixes applied and you have nothing to worry about.

This isn’t the case for all installations, however. If you don’t have Firefox or Thunderbird set to update automatically, the fix won’t be present. As a result, you’ll need to manually apply the update.

In Firefox, navigate to Settings and then click General > Firefox Updates.

From here, select the most suitable option from Allow Firefox to:

  • Automatically install updates
  • Check for updates but let you choose to install them.

The update process for Thunderbird is much the same as Firefox. By default, it’s set to update manually, but you can select similar options to Firefox using the Advanced option in the Updates tab.

With both of these tasks accomplished, you should no longer be at risk from either CVE.

The post Firefox, Thunderbird, receive patches for critical security issues appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) ↓