Mozilla Foundation releases Firefox 84 browser, fixing several flaws & delivering performance gains & Apple processor support.
A Mozilla Foundation update to the Firefox web browser, released Tues., tackles 1 critical vulnerability & a handful of high-severity bugs. The update, released as Firefox version 84, is also billed by Mozilla as boosting the browser’s performance & adding native support for macOS hardware running on its own Apple processors.
High-Severity
Altogether, 6 high-severity flaws were fixed, in addition to the critical bug, tracked as CVE-2020-16042. The specific critical bug in Firefox was also highlighted earlier this month in Google’s Chrome browser security update, where it was rated as a ‘high-severity flaw.’
The Firefox & Chrome bug (CVE-2020-16042) is still not fully described by either browser maker & is only listed as a memory bug.
Mystery Bug Also Impacts Google Chrome Web Browser
In the Mozilla security advisory, CVE-2020-16042 is described as a flaw in the JavaScript component called BigInt that “could have caused un-initialised memory to be exposed.”
BigInt is a JavaScript component used to represent “arbitrarily large integers” in the context of a JavaScript process within the browser, according to a Mozilla description.
Google describes the same flaw differently. It calls it an “un-initialised-use” bug impacting Chrome’s V8 JavaScript engine. It is also unclear from Google’s bulletin the exact nature of the flaw. But cyber-security researchers have described these types of un-initialised-use bugs as “largely overlooked” & often “regarded as insignificant memory errors.”
Critical Attack Vector
“These are actually a critical attack vector that can be reliably exploited by hackers to launch privilege-escalation attacks in the Linux kernel,” according to 2017 research published by the Georgia Institute of Technology in the US.
The CVE was also referenced last week by Microsoft, as part of its Dec. Patch Tuesday list of bugs impacting its Edge browser version 87.0.664.57. Microsoft’s Edge browser, release in Jan. 2020, is based on Google’s open-source software project Chromium. The Chromium source code is used in Google’s Chrome browser & Microsoft’s 2020 Edge browser.
The V8 JavaScript Engine & Web Assembly
The V8 open-source JavaScript engine was developed by the Chromium Project for Google Chrome & Chromium web browsers. The V8 JavaScript engine is not supported by Firefox, but the Web Assembly component, often associated with V8, is.
Web Assembly, or WASM for short, is an open standard that defines a portable binary-code format for executable programs, according to the Web Assembly. “Web Assembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines,” according to the project website.
WASM & V8 Bugs
Mozilla’s Firefox browser is not Chromium based. WASM is supported in Mozilla Firefox & Apple Safari, even though both do not use Google’s V8. Some clues as to the nature of the bug can be derived by the fact the bug impacts both the Firefox and Chrome browser – the common denominator is WASM. In addition, a 2018 analysis of WASM & V8 bugs warned of possible security issues.
In 2018, Google’s Project Zero published research titled “The Problems and Promise of Web Assembly” & identified 3 vulnerabilities, which were mitigated. One future WASM threats, Google warned, was tied to Web Assembly’s garbage collector (GC) function.
Web Assembly the Culprit?
GC is an important process tied to JavaScript engines. “Java applications obtain objects in memory as needed. It is the task of GC in the Java virtual machine (JVM) to automatically determine what memory is no longer being used by a Java application & to recycle this memory for other uses,” says John Worthington in a post on the importance of GC.
As for Google, it warned in 2018:
“Web Assembly GC is another potential feature of Web Assembly that could lead to security problems.
Performance Problems
Currently, some uses of Web Assembly have performance problems due to the lack of higher-level memory management in Web Assembly. For example, it is difficult to implement a performant Java Virtual Machine in Web Assembly.
If Web Assembly GC is implemented, it will increase the number of applications that Web Assembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both Web Assembly engines & applications written in Web Assembly.”
Database Repositories
At both national vulnerability database repositories, MITRE & NIST, the technical specifics of the CVE have yet to be publicly disclosed. In Google’s Dec. Security Bulletin, it noted details tied to CVE-2020-16042 & other bugs were being withheld, “until a majority of users are updated with a fix.”
It also noted that when and if bugs exist in 3rd-party code libraries used in other devices or platforms, technical details of the bugs are limited.
Credited for finding the bug is bug hunter André Bargull, who originally reported the bug on Nov. 23, says Google.
6 High-Severity Firefox Bugs
Memory issues dominated the list of high-severity bugs patched by Mozilla Tues. 2 “memory safety bugs” (CVE-2020-35114 & CVE-2020-35113) were patched. Both CVEs addressed bugs in Firefox 84 and its large-enterprise Firefox extended support release (ESR) 78.6 browser.
“Some of these bugs showed evidence of memory corruption & we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote of both bugs.
Also tied to browser memory are bugs tracked as CVE-2020-26971, CVE-2020-26972 & CVE-2020-26973, which include a heap-buffer-overflow in WebGL, use-after-free in WebGL & a CSS sanitizer performed incorrect sanitisation flaw.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/