Mozilla posted an advisory on September 6, 2018, disclosing the presence of multiple security flaws in Firefox 61. These have been patched in the latest version of the browser. Four of these vulnerabilities have been labeled as being of High or Critical status. As of the publishing of this advisory, these vulnerabilities do not appear to be receiving attacks in the wild.
As a Firefox user, ensure you have updated Firefox to the latest version as soon as possible. You can do this following the below steps:
1. Click the ‘Firefox’ menu and ‘About Firefox’.
2. The browser will check for an update automatically and will download the update if available.
3. You will then be prompted to ‘Restart to update Firefox’
Two of the bugs marked as high-impact, CVE-2018-12377 and CVE-2018-12378, are called use-after-free vulnerabilities. This type of bug exists when an application has released data stored in memory and then tries to access that data after it has been released from memory. In some cases (with this type of bug), software applications can crash or they can ‘behave abnormally’. ‘Behaving abnormally’ depends on the circumstances of when that memory section is accessed. The reason that it is called abnormal behavior is because those memory registers could be entirely empty or they could be carrying data from another source that saw the empty space and stored it’s data in that location.
In the case of these two Firefox bugs, the advisory states the existence of a ‘potentially exploitable crash”, which is common for this type of vulnerability. There was no mention of possible remote code execution, a possible consequence of use-after-free vulnerabilities, which suggests that this particular vector of attack is not present in these cases.
The other two vulnerabilities of interest, CVE-2018-12375 and CVE-2018-12376 (marked High and Critical-impact, respectively), are known as memory safety bugs. Memory safety has a rather wide range of coverage including buffer overflows so the scope of these two bugs remain to be seen. In Mozilla’s advisory entries on both of these CVE’s state “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.”
Mozilla’s statement, that they “presume” the reported memory safety bugs “could” be exploited with “enough effort” to run code is an important one. Although, it is not necessarily an uncommon mindset to have, but it is worth bringing attention to it when it comes up. Patching a vulnerability that may not be feasibly exploited today is still critical in a time where techniques and technologies advance so rapidly.