Jump to content
  • Mozilla patches two critical security issues in Firefox and Thunderbird

    Karlston

    • 451 views
    • 2 minutes
     Share


    • 451 views
    • 2 minutes

    Mozilla published updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team released a patch for the email client as well. The security updates patch two critical security issues in the Firefox web browser and Thunderbird.

     

    Here is the list of products with updates:

     

    • Firefox 100.0.2
    • Firefox ESR 91.9.1
    • Firefox for Android 100.3
    • Thunderbird 91.9.1

     

    The updates are available already, and most user installations will be updated automatically. Desktop users who don't want to wait until that happens may run a manual check for updates to speed up the installation.

     

    • Firefox: select Menu > Help > About Firefox. Firefox runs a manual check for updates. Any update that is found will be downloaded and installed.
    • Thunderbird: select Help > About Thunderbird. Thunderbird will also check for updates and install any that it finds.

     

    Note: Firefox for Android is updated via Google Play. There is no option to speed up the delivery of updates on Android via Google Play.

     

    The official release notes list a single entry, that confirm the security nature of the update. Mozilla published a security advisory for all affected versions of the web browser that provide additional details on the issues:

     

    There, users find out that two security issues have been patched in the update. Both issues have the severity rating of critical, the highest rating that is available. They were reported to Mozilla by Manfred Paul via Trend Micro's Zero Day Initiative.

     

    CVE-2022-1802: Prototype pollution in Top-Level Await implementation

     

    If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

     

    CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution

     

    An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

     

    The linked bug reports are restricted. Mozilla makes no mention of attacks in the wilds that target these vulnerabilities.

     

    Firefox and Thunderbird users may want to update their applications quickly to protect them against attacks targeting these issues.

     

    Now You: when do you update your applications?

     

     

     

    Mozilla patches two critical security issues in Firefox and Thunderbird


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...