Multiple vulnerabilities were detected within Mozilla Firefox 87, Thunderbird, and Firefox ESR. The most critical is an arbitrary code execution vulnerability. This software is very popular with everyone: a web browser and an e-mail client. If an attacker is successful, they can install software or delete/change all your data (depending on the type of user rights). In this blog, we will give you an overview of all the CVE vulnerabilities.
The affected systems are Mozilla Firefox versions prior to 87.0, Mozilla Firefox ESR versions prior to 78.9, and Mozilla Thunderbird versions prior to 78.7. The new Firefox 88 updates fixes 13 bugs (6 of them are critical). Update all your installations to Firefox 88 as soon as possible.
CVE-2021-23998 - Secure Lock Icon Spoofed
"Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page." - stated Mozilla. CVE-2021-23998 is a bug within the secure lock icon. This can affect both the corporate and consumer versions of Firefox.
The spoofed secure lock icon, a browser padlock icon user by major browsers, has a moderate severity rating. This icon indicates that there is a secure communication channel between your browser and the server that is hosting the website. Because of the bug, it can give a false sense of security to the users. We advise you to update to Firefox 88 as soon as possible.
Other High-Severity Bugs
CVE-2021-23994 - Out-of-bounds write
CVE-2021-23994 could allow a remote attacker to take over your system. Caused by a boundary error when WebGL frame buffer processes untrusted input. Via a malicious webpage, the user can be tricked into opening it and trigger the out-of-bounds write. The attacker can be non-authenticated.
CVE-2021-23995 - User-After-Free
Just like the Out-of-Bounds write, CVE-2021-23995 exists because of a boundary error when Responsive Design Mode is enabled. "When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code," wrote Mozilla.
The user is tricked into opening a malicious web page which triggers a use-after-free error.
CVE-2021-23996 - Security Restrictions Bypass
Get Started with IT Asset Management 2.0
Discover assets you don't even know about and learn why Lansweeper is used by thousands of organizations worldwide.
CVE-2021-23997 - Use-After-Free
CVE-2021-23997 is also a use-after-free error but it's caused by unexpected data type conversions when freeing fonts from the cache. By tricking the user into opening a malicious web page, it can trigger the use-after-free error.
CVE-2021-23999 - Insecure Inheristed Permissions
CVE-2021-23999 allows an attacker to perform a spoofing attack. This is possible because of the way Firefox handles Blob URLs. A blob or object URL is a pseudo protocol that allows Blob and File objects to be used as URL sources for images, download links, and so on. If a Blob URL was loaded via some unusual user interaction, it's possible that it's loaded by the System Principal thus granting extra privileges (that should not be granted) to web content.
Run the Firefox 87 Vulnerability Audit Report
Our security experts have issued a dedicated Mozilla Firefox Audit Report that gives you an overview of all affected devices and their patch status.