Owner security

Mozilla fixes two critical security issues in Firefox and Thunderbird

Mozilla released updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team also released a patch for the email client. The security updates address two critical security issues in the Firefox and Thunderbird web browser.

Here is the list of products with updates:

  • Firefox 100.0.2
  • Firefox ESR 91.9.1
  • Firefox for Android 100.3
  • Thunderbird 91.9.1

Updates are already available and most user installs will update automatically. Desktop users who don’t want to wait for this to happen can run a manual check for updates to speed up installation.

  • firefox: Select Menu > Help > About Firefox. Firefox runs a manual check for updates. Any update found will be downloaded and installed.
  • thunderbird: Select Help > About Thunderbird. Thunderbird will also check for updates and install any it finds.

Note: Firefox for Android is updated through Google Play. There is no option to speed up the delivery of updates on Android through Google Play.

The official release notes list a single entry, which confirms the safe nature of the update. Mozilla has released a security advisory for all affected versions of the web browser that provides additional details about the issues:

There, users discover that two security issues have been fixed in the update. Both issues have the critical severity level, the highest level available. They were reported to Mozilla by Manfred Paul via Trend Micro’s Zero Day initiative.

CVE-2022-1802: Prototype pollution in Top-Level Await implementation

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, he could have achieved execution of attacker-controlled JavaScript code in a privileged context.

CVE-2022-1529: untrusted input used in JavaScript object indexing, resulting in prototype pollution

An attacker could have sent a message to the parent process where content was used for double indexing into a JavaScript object, resulting in prototype pollution and ultimately attacker-controlled JavaScript execution in the privileged parent process.

Related bug reports are restricted. Mozilla makes no mention of attacks in the wild that target these vulnerabilities.

Firefox and Thunderbird users may wish to update their applications promptly to protect against attacks targeting these issues.

Now you: When do you update your apps?

Summary

Mozilla fixes two critical security issues in Firefox and Thunderbird

Article name

Mozilla fixes two critical security issues in Firefox and Thunderbird

The description

Mozilla released security updates for its Firefox and Firefox ESR web browsers on May 20, 2022. The Thunderbird development team also released a patch for the email client.

Author

Martin Brinkman

Editor

Ghacks Technology News

Logo

Advertisement