Mozilla patches two critical security issues in Firefox and Thunderbird

[harlan4096]

Mozilla published updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team released a patch for the email client as well. The security updates patch two critical security issues in the Firefox web browser and Thunderbird.



Here is the list of products with updates:

• Firefox 100.0.2
  
• Firefox ESR 91.9.1
  
• Firefox for Android 100.3
  
• Thunderbird 91.9.1
  

The updates are available already, and most user installations will be updated automatically. Desktop users who don't want to wait until that happens may run a manual check for updates to speed up the installation.

• Firefox: select Menu > Help > About Firefox. Firefox runs a manual check for updates. Any update that is found will be downloaded and installed.
  
• Thunderbird: select Help > About Thunderbird. Thunderbird will also check for updates and install any that it finds.
  

Note: Firefox for Android is updated via Google Play. There is no option to speed up the delivery of updates on Android via Google Play.

The official release notes list a single entry, that confirm the security nature of the update. Mozilla published a security advisory for all affected versions of the web browser that provide additional details on the issues:

There, users find out that two security issues have been patched in the update. Both issues have the severity rating of critical, the highest rating that is available. They were reported to Mozilla by Manfred Paul via Trend Micro's Zero Day Initiative.
 

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

The linked bug reports are restricted. Mozilla makes no mention of attacks in the wilds that target these vulnerabilities.

Firefox and Thunderbird users may want to update their applications quickly to protect them against attacks targeting these issues.

Now You: when do you update your applications?
...

Continue Reading