Network Security, Patch/Configuration Management, Vulnerability Management

Mozilla exorcises five bugs on Halloween

The Mozilla Foundation yesterday issued updates for its Firefox and Thunderbird products, fixing a total of five vulnerabilities, one critical.

The most severe bug, designated CVE-2018-12390, consists of a series of memory safety bugs discovered by Mozilla developers and community members in Firefox 63, Firefox ESR 60.3 and Thunderbird 60.3. "Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code," said a Mozilla advisory.

Researchers also found a series of low-severity memory safety bugs in the same three products (CVE-2018-12389).

Three other flaws were categorized as high in severity. The first, CVE-2018-12391, allows audio data to be accessed across origins, in violation of security policies, during HTTP Live Stream playback on Firefox for Android. The second, CVE-2018-12392, is the result of poor event handling related to nesting loops, and could enable attackers to trigger a crash. And the third, CVE-2018-12393, is an out-of-bounds writer vulnerability that stems from integer overflow during Unicode conversation while loading JavaScript.

Mozilla has noted that these vulnerabilities are most risky in browser or browser-like environments, but generally cannot be exploited through email in the Thunderbird product due to disabled scripting.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.