We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Exploits and vulnerabilities
In a security advisory, Mozilla’s announced that several security issues in its Firefox browser have been fixed. Several of these vulnerabilities were listed as having a high impact.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We’ll discuss some of the CVEs fixed in this update below.
Listed as CVE-2021-38503, it fixes an issue where the iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. Attackers could handle manipulated XSLT stylesheets and be able to execute scripts or break out onto the main frame.
XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents, or other formats such as HTML for web pages, plain text or XSL Formatting Objects, which may subsequently be converted to other formats, such as PDF, PostScript and PNG.
The vulnerability listed under CVE-2021-38504 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in file picker dialog. By persuading a victim to visit a specially-crafted website, a remote attacker could create an interaction with an HTML input element’s file picker dialog with webkitdirectory set. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.
The vulnerability listed under CVE-2021-38505 only applies for users of Firefox for Windows 10+ with Cloud Clipboard enabled. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats. Firefox versions before 94 and ESR 91.3 did not implement these formats. This could have caused sensitive data to be recorded to a user’s Microsoft account.
CVE-2021-38506 describes a vulnerability in which, through a series of navigations, Firefox could have entered full screen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This type of attack is particularly useful for Tech Support scammers because they can make the browser page look like a security warning or BSOD, and trick the user into calling a specific number.
Listed as CVE-2021-38507, the Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) doesn’t opt-in to opportunistic encryption, a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
The vulnerability listed under MOZ-2021-0003 does not have a CVE number assigned to it. The vulnerability only affects Firefox for Android. A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. QR codes are complicated barcodes that are popular among scammers. It’s advisable to use a QR scanner that checks or at least displays the URL before it follows the link.
Several memory safety bugs were grouped under MOZ-2021-0007. Some of these bugs showed evidence of memory corruption and it was presumed that with enough effort some of these could have been exploited to run arbitrary code. These bugs were found by Mozilla developers and community members and have also been fixed in this update.
All of the issues listed above, and more, have been fixed in Firefox 94 and Firefox ESR 91.3. By default, Firefox updates automatically. You can always check for updates at any time, in which case an update is downloaded, but it is not installed until you restart Firefox.
Stay safe, everyone!
SHARE THIS ARTICLE
ABOUT THE AUTHOR
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Write for Labs
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
NEWS AND PRESS
© All Rights Reserved
Select your language
Your intro to everything relating to cyberthreats, and how to stop them.
We research. You level up.