Mozilla and Google on Tuesday introduced the discharge of secure updates for Firefox and Chrome to deal with a number of high-severity vulnerabilities, together with reminiscence corruption points.
Mozilla launched Firefox 117 with patches for 13 vulnerabilities, together with seven rated ‘excessive severity’, 4 of that are described as reminiscence corruption bugs affecting the browser’s IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics parts.
Reported by the identical security researcher (often known as sonakkbi) and tracked as CVE-2023-4573, CVE-2023-4574, and CVE-2023-4575 the primary three flaws “may have led to a use-after-free inflicting a doubtlessly exploitable crash,” Mozilla explains in its advisory.
Tracked as CVE-2023-4577, the fourth vulnerability may have led to a doubtlessly exploitable crash as properly.
Mozilla additionally patched a high-severity integer overflow (CVE-2023-4576) within the RecordedSourceSurfaceCreation element of Firefox for Home windows, leading to “a heap buffer overflow doubtlessly leaking delicate information that might have led to a sandbox escape”.
Firefox 117 additionally addresses a number of high-severity reminiscence security bugs which can be collectively tracked as CVE-2023-4584 and CVE-2023-4585 and which additionally impression Firefox ESR and Thunderbird.
The remaining six points addressed with this browser launch are medium- and low-severity vulnerabilities that might result in website spoofing, delicate data leaks, the obtain of information with out a warning of their potential hurt, a buffer overflow, or browser context not being cleared when closing a non-public window.
On Tuesday, the browser maker additionally introduced the discharge of Firefox ESR 115.2 with patches for 14 vulnerabilities, together with 12 resolved in Firefox 117. Moreover, Mozilla launched Firefox ESR 102.15 with patches for six vulnerabilities.
Extra data on these vulnerabilities could be discovered on Mozilla’s security advisories web page.
Google on Tuesday launched its second weekly replace for Chrome, now rolling out as model 116.0.5845.140 for macOS and Linux and as variations 116.0.5845.140/.141 for Home windows.
The Chrome replace resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Such points could typically be exploited to flee Chrome’s sandbox and obtain distant code execution, if mixed with different vulnerabilities.
Mozilla and Google make no point out of any of those flaws being exploited in assaults.
