The Mozilla Foundation has released Firefox 88, fixing 13 bugs ranging from high to low severity.
The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.
The patch was part of a Mon. update to Firefox 88 & its corporate Firefox ESR 78.10 browser & its Thunderbird 78.10 email client. In total, Firefox 88 addresses 13 browser bugs, 6 of which are rated high severity.
False Sense of Security
Tracked as CVE-2021-23998, the secure-lock-icon bug effects both the consumer & corporate versions of Firefox browsers prior to the Mon. releases. “Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page,” wrote Mozilla in its security advisory.
Credited for discovering the spoofed secure lock icon is independent researcher Jordi Chancel, who on Dec. 10, 2020 tweeted “I discovered again a new SSL Spoofing Issue (& others variohttps://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23998us security issues last 2 months)”.
The vulnerability has a severity rating of moderate, Mozilla reported.
The browser padlock icon, used by all major browsers, indicates a secure communication channel between the browser & the server hosting the website. It indicates the communication is encrypted using HTTPS & utilises an SSL/TLS certificate.
6 High-Severity Bugs
Other bugs rated high severity, are flaws ranging from memory corruption bugs to one that allowed a rogue website to render a malicious JavaScript outside a webpage’s visible content window.
“By utilizing 3D CSS in conjunction with JavaScript, content could have been rendered outside the webpage’s viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user,” Mozilla wrote of the bug tracked as CVE-2021-23996.
Bug hunter Irvan Kurniawan is credited for unearthing 2 of the high-severity bugs and 1 moderate flaw fixed in Firefox Mon. One is (CVE-2021-23995) is a bug described as a “use-after-free in responsive design mode”.
Responsive Design Mode
“When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code,” wrote Mozilla. Responsive design is a term used to describe how websites automatically adapt to different sized screens
Kurniawan is also credited for finding a use-after-free bug (CVE-2021-23997) that can be triggered by the releasing of a web-based font from the browser’s cache. This bug, like Kurniawan’s previous vulnerability, could be uses by an adversary to target a specific browser & execute remote code.
Security Bulletin
“Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code,” Mozilla wrote.
The Mozilla security bulletin is light on the technical specifics of the bug & does not indicate if any of the 13 flaws outlined in its advisory are being exploited in the wild.
The relatively mild collection of Firefox fixes stand in contrast to Google & its Chrome browser, which last week rushed patches addressing a zero-day remote code execution (RCE) vulnerability.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/