Mozilla has released three security advisories to address the vulnerabilities present in Firefox, Firefox ESR, and Thunderbird. A zero-day vulnerability (CVE-2020-15999) has also been addressed in the latest version of Firefox. Firefox version 83 also introduces a new “HTTPS-only mode“, if enabled all the URL’s in the form of “http://” will be converted into respective “https://” format. This mode can be enabled or disabled in Settings > Privacy & Security.
Zero-day CVE-2020-15999 details
The release of version 83 for Firefox fixes a zero-day vulnerability. In October, the Google Project Zero team had discovered a heap buffer overflow vulnerability in Freetype (a font engine). The vulnerability can be triggered by embedding PNG images into fonts, leading to integer overflow caused due to Load_SBit_Png function. This can lead to buffer overflow and an exploitable crash. More details can be found here. The bug could only be exploited if a rarely used, hidden preference is toggled. It only affects the Linux and Android operating systems.
The zero-day bug is also applicable for Chrome. Details about it can be found here.
Vulnerabilities fixed in MFSA (2020-50, 2020-51, 2020-52)
CVE-2020-26951: This vulnerability exists due to insufficient validation of user-supplied input. Successful exploitation of the vulnerability can easily bypass the built-in sanitizer.
CVE-2020-26592: This vulnerability can cause a buffer overflow leading to memory corruption. The incorrect bookkeeping of functions in-lined during the JIT compilation can trigger this vulnerability.
Other high severity vulnerabilities fixed are CVE-2020-26968 and CVE-2020-26969.
CVE-2020-26953: It is possible to make the browser enter full-screen mode without displaying any UI notification. This can be used to perform a phishing attack.
CVE-2020-26958: Earlier Firefox versions do not block the execution of scripts with incorrect MIME types. This can lead to a cross-site script inclusion vulnerability or a Content Security Policy bypass.
Other medium severity vulnerabilities fixed include CVE-2020-26959, CVE-2020-26960, CVE-2020-26957, CVE-2020-26955, CVE-2020-26954, CVE-2020-16012, CVE -2020-26956 and CVE-2020-26961
Low severity vulnerabilities fixed include CVE-2020-26962, CVE-2020-26963, CVE-2020-26964, CVE-2020-26965, CVE-2020-26966, and CVE-2020-26967.
Firefox before version 83
Firefox ESR before version 78.5
Thunderbird before version 78.5
Please refer to this KB Article to apply the patches using SanerNow.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Download SanerNow and keep your systems updated and secure.