Network Security, Patch/Configuration Management, Vulnerability Management

Mozilla’s latest Firefox releases fix 22 vulnerabilities

The Mozilla Foundation yesterday issued version 66 of Firefox and 60.6 of Firefox Extended Support Release (ESR), in the process patching 22 vulnerabilities between them, five of them critical.

Four of the five most severe flaws were found in both the standard and ESR versions of the web browser. This includes CVE-2019-9790, a use-after-free vulnerability that can occur when removing in-use DOM (Document Object Model) elements. Attackers can exploit this scenario, which was discovered by researcher Brandon Wieser, to intentionally cause a crash.

Two additional shared critical bugs were found in the IonMonkey JavaScript JIT compiler for SpiderMonkey. The first, a type confusion flaw (CVE-2019-9791), can enable arbitrary reading and writing of objects during an exploitable crash. The other, CVE-2019-9792, involves the leaking of a magic value to the running script, which can be leveraged to trigger memory corruption and ultimately a crash. Samuel Groß of Google Project Zero is credited with discovering both of these issues.

The final shared critical vulnerability consisted of a series of memory safety bugs (CVE-2019-9788) uncovered by Mozilla's developers and community. Another set of memory safety bugs were also found only in the standard version of Firefox (CVE-2019-9789).

The previous versions of Firefox and Firefox ESR also shared an additional four high-level flaws, and one moderate-level bug. ESR also had one of its very own moderate vulnerabilities patched, while the latest standard version fixed an additional four-moderate level and four low-level bugs.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.