October 25, 2023 at 03:57PM
Mozilla and Google have released software updates for Firefox and Chrome to address high-severity vulnerabilities, including memory safety bugs. Mozilla’s Firefox update addresses 11 vulnerabilities, including an insufficient activation-delay bug and memory safety issues that could allow arbitrary code execution. The update also patches medium-severity flaws affecting header leakage, crashes, and bypass of download protections. Google’s Chrome update fixes a use-after-free issue in Profiles and is now rolling out to users. Neither company has reported any exploitation of these vulnerabilities in malicious attacks.
From the meeting notes, it was discussed that both Mozilla and Google have released software updates for their web browsers, Firefox and Chrome, respectively. These updates aim to address multiple vulnerabilities, including some high-severity issues.
Mozilla released Firefox version 119, which includes patches for 11 vulnerabilities. Among these, three are classified as high-severity. One of the high-severity flaws, identified as CVE-2023-5721, could inadvertently activate or dismiss browser prompts and dialogues, potentially leading to clickjacking. Additionally, there are memory safety issues (CVE-2023-5730 and CVE-2023-5731) that attackers could exploit to execute arbitrary code. Furthermore, Firefox 119 addresses seven medium-severity flaws, which could result in header leakage, crashes, unexpected errors, arbitrary URL openings, obscured full-screen notifications, and bypassing of download protections. Mozilla also released Firefox ESR 115.4 and Thunderbird 115.4.1 with eight patches, including the aforementioned high-severity and memory safety issues.
During the meeting, it was clarified that there have been no reports of these vulnerabilities being actively exploited in malicious attacks.
On the other hand, Google announced a software update for Chrome that addresses two vulnerabilities, one of which is classified as high-severity. The high-severity issue, tracked as CVE-2023-5472, is a use-after-free bug in Profiles. This vulnerability was reported by an external researcher, who received a $3,000 reward. Use-after-free bugs in Chrome can potentially allow attackers to escape the browser sandbox and execute code on the underlying operating system. However, Google has not recorded any instances of this vulnerability being exploited in the wild.
The new version of Chrome, labeled as 118.0.5993.117 for macOS and Linux and 118.0.5993.117/.118 for Windows, is now being rolled out to users.
Related: Chrome version 118 addresses 20 vulnerabilities.
Related: Firefox version 118 patches high-severity vulnerabilities.
Related: High-severity memory corruption vulnerabilities have been patched in Firefox and Chrome.