mozilla-security-updates-november

Mozilla has released three security advisories to address the vulnerabilities present in Firefox, Firefox ESR, and Thunderbird. A zero-day vulnerability (CVE-2020-15999) has also been addressed in the latest version of Firefox. Firefox version 83 also introduces a new “HTTPS-only mode“, if enabled all the URL’s in the form of “http://” will be converted into respective “https://” format. This mode can be enabled or disabled in Settings > Privacy & Security.


Zero-day CVE-2020-15999 details

The release of version 83 for Firefox fixes a zero-day vulnerability. In October, the Google Project Zero team had discovered a heap buffer overflow vulnerability in Freetype (a font engine). The vulnerability can be triggered by embedding PNG images into fonts, leading to integer overflow caused due to Load_SBit_Png function. This can lead to buffer overflow and an exploitable crash. More details can be found here. The bug could only be exploited if a rarely used, hidden preference is toggled. It only affects the Linux and Android operating systems.
The zero-day bug is also applicable for Chrome. Details about it can be found here.


Vulnerabilities fixed in MFSA (2020-50, 2020-51, 2020-52)

High-severity vulnerabilities

CVE-2020-26951: This vulnerability exists due to insufficient validation of user-supplied input. Successful exploitation of the vulnerability can easily bypass the built-in sanitizer.

CVE-2020-26592: This vulnerability can cause a buffer overflow leading to memory corruption. The incorrect bookkeeping of functions in-lined during the JIT compilation can trigger this vulnerability.
Other high severity vulnerabilities fixed are CVE-2020-26968 and CVE-2020-26969.

Medium-severity vulnerabilities

CVE-2020-26953: It is possible to make the browser enter full-screen mode without displaying any UI notification. This can be used to perform a phishing attack.

CVE-2020-26958: Earlier Firefox versions do not block the execution of scripts with incorrect MIME types. This can lead to a cross-site script inclusion vulnerability or a Content Security Policy bypass.

Other medium severity vulnerabilities fixed include CVE-2020-26959, CVE-2020-26960, CVE-2020-26957, CVE-2020-26955, CVE-2020-26954, CVE-2020-16012, CVE -2020-26956 and CVE-2020-26961

Low severity vulnerabilities fixed include CVE-2020-26962, CVE-2020-26963, CVE-2020-26964, CVE-2020-26965, CVE-2020-26966, and CVE-2020-26967.


Affected versions

Firefox before version 83
Firefox ESR before version 78.5
Thunderbird before version 78.5


Solution

Please refer to this KB Article to apply the patches using SanerNow.

SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Download SanerNow and keep your systems updated and secure.

Summary
Article Name
Mozilla releases zero-day fix for CVE-2020-15999
Author
Publisher Name
SecPod Technologies
Publisher Logo

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *