The Mozilla Foundation has released Firefox 84 for the browser, fixing several flaws and providing performance improvements and Apple processor support.
The Mozilla Foundation’s update to the Firefox Web browser, released Tuesday, addresses a critical vulnerability and a number of high-severity bugs. Mozilla also released the update as Firefox version 84 to improve browser performance and add native support for macOS hardware running on its own Apple processors.
In addition to the critical bugs, a total of six high-severity vulnerabilities were fixed, which are tracked as CVE-2020-16042. The specific critical bugs in Firefox were also highlighted in a security update to Google Chrome earlier this month, which was rated as a high-severity vulnerability.
Both browser makers still have not fully described the Firefox and Chrome bug involved (CVE-2020-16042), listing it only as a memory error.
Mystery bug also affects Google Chrome
The 2017 study published by Georgia Tech suggests that “these are actually key attack vectors that hackers can reliably use to launch privilege elevation attacks in the Linux kernel .”
Last week, Microsoft also cited CVE , as part of its December Patch Tuesday patch list, which affects Edge browser version 87.0.664.57. Microsoft’s Edge browser was released in January 2020 and is based on Google’s open source software project Chromium. chromium source code is used in Google’s Chrome browser and Microsoft’s 2020 Edge browser.
Mozilla’s Firefox browser is not based on Chromium. Mozilla Firefox and Apple Safari support WASM, even though neither of them uses Google’s V8. Some clues about the nature of the vulnerability can be drawn from the fact that the vulnerability affects both Firefox and Chrome – the common denominator is WASM. The common denominator is WASM. in addition, analysis of the WASM and V8 bugs in 2018 warned of possible security issues.
In 2018, Google’s Project Zero released a study called “WebAssembly Issues and Promises” and identified three vulnerabilities that have been mitigated. Google warns that future WASM threats are related to WebAssembly’s garbage collector (GC) functionality.
As for Google, it issued a warning in 2018 that
” WebAssembly GC is another potential feature of WebAssembly that could lead to security issues. Currently, there are performance issues with some uses of WebAssembly due to the lack of advanced memory management in WebAssembly. For example, it is difficult to implement a high-performance Java virtual machine in WebAssembly. If WebAssembly GC were implemented, it would increase the number of applications available for WebAssembly, but it would also make vulnerabilities related to memory management more likely in the WebAssembly engine and applications written in WebAssembly.
Technical details of the CVE are not yet publicly available on the two national vulnerability database repositories, MITER and NIST. In Google’s December security bulletin, it notes details related to CVE-2020-16042 and that other bugs have been held “until a fix has been made for most users.” It also notes that technical details of the bug will be limited when and if the bug exists in third-party codebases used in other devices or platforms.
According to Google, stink bug hunter André Bargull, who is previously known for finding the bug, originally reported it on Nov. 23.
Six highly serious Firefox bugs
Memory issues dominated the list of high-severity vulnerabilities patched by Mozilla on Tuesday. Two “memory security bugs” (CVE-2020-35114 and CVE-2020-35113) were fixed. Both CVEs address bugs in Firefox 84 and its large enterprise Firefox Extended Support Release (ESR) 78.6 browser.
Mozilla wrote: “Some of these bugs show signs of memory corruption, and we believe that, with sufficient effort, some of these vulnerabilities may have been exploited to run arbitrary code.”
Also related to browser memory are bugs tracked as CVE-2020-26971, CVE-2020-26972 and CVE-2020-26973, which include a heap buffer overflow in WebGL, free-after-free usage in WebGL and a sanitization flaw in which CSS cleanup procedures are executed incorrectly.