Patches fix everything from memory out-of-bounds to use-after-free bugs
Twelve high priority bugs in Mozilla Firefox’s software have been patched today, and Google’s Project Zero found two of them.
Mozilla’s fixes came as part of “Batch Tuesday”, a monthly update of software security fixes pushed out by firms including Adobe and Microsoft.
Sergei Glazunov, a software engineer at Google, uncovered one security flaw, that, if left unchecked, could lead to potentially exploitable memory corruption followed by the immediate crashing of the device.
Another Google engineer Natalie Silvanovich uncovered a flaw that could result in an out of bounds read, where hackers can potentially read sensitive information from other memory locations, or cause a crash.
The rest of the patches, spanning Firefox 74 and 7 for Firefox ESR68.6 were a mixed bag, as Jay Goodman at Automox, noted, “correcting everything from memory out-of-bounds to use-after-free bugs, with a few standouts.”
He added: “While none have been seen exploited in the wild yet, the time to weaponization averages seven days. And with Firefox’s increasing market growth in the enterprise market, leaving any devices unpatched could lead to a security incident.”
Glazunov and Silvanovich both work for Google’s Project Zero, formed in 2014, which is tasked with finding and reporting zero day security vulnerabilities.
In all, of the 13 bugs patched within Mozilla’s software, six have been deemed as a high security risk for users.
The full list of CVEs is here.