Mozilla Firefox 121 Security Vulnerabilities

Mozilla recently announced the release of Firefox 121, addressing several critical security vulnerabilities and bringing significant improvements. The patch includes fixes for high, moderate, and low-impact issues. Here’s a summary of the key CVE alerts:

High-Impact Vulnerabilities

  1. CVE-2023-6856: Concerns a heap buffer overflow affecting WebGL’s DrawElementsInstanced method when using the Mesa VM driver. This could enable remote code execution and sandbox escape.
  2. CVE-2023-6135: Involves NSS NIST curves susceptible to a “Minerva” side-channel attack, potentially leading to private key recovery.
  3. CVE-2023-6865: Indicates potential exposure of uninitialized data in EncryptingOutputStream, primarily impacting private browsing mode.
  4. CVE-2023-6864 and CVE-2023-6873: Highlight memory safety bugs pointing to evidence of memory corruption and potential exploitation for running arbitrary code.

Moderate-Impact Vulnerabilities

  1. CVE-2023-6857: Involves a race condition leading to smaller-than-expected buffers when resolving symlinks, affecting Firefox on Unix-based operating systems.
  2. CVE-2023-6858 to CVE-2023-6862 and CVE-2023-6866 to CVE-2023-6868: Cover various issues such as heap buffer overflow, use-after-free conditions, insufficient exception handling in TypedArrays, sandbox escape potential, and other weaknesses affecting Firefox on Android and general browsing.

Low-Impact Vulnerabilities

  1. CVE-2023-6869 to CVE-2023-6872: Encompass a range of issues from content manipulation and Android notification clashes to lack of protocol handler warnings and potential browsing history leakage.

Mozilla strongly advises all users to update to Firefox 121 immediately to mitigate these vulnerabilities. For further details on each CVE and their respective fixes, refer to the official Mozilla Foundation Security Advisory 2023-56.