The Mozilla Foundation yesterday issued updates for its Firefox and Thunderbird products, fixing a total of five vulnerabilities, one critical.
The most severe bug, designated CVE-2018-12390, consists of a series of memory safety bugs discovered by Mozilla developers and community members in Firefox 63, Firefox ESR 60.3 and Thunderbird 60.3. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code,” said a Mozilla advisory.
Researchers also found a series of low-severity memory safety bugs in the same three products (CVE-2018-12389).
Mozilla has noted that these vulnerabilities are most risky in browser or browser-like environments, but generally cannot be exploited through email in the Thunderbird product due to disabled scripting.