Critical vulnerabilities found in Firefox allow hackers to gain control of infected systems | Patch now!

[AlTech]

Summary

It is understood that recently at a hackathon event in Vancouver, Canada longtime hackathon attendee, Manfred Paul, showed off 2 vulnerabilities in Firefox that have since been reported to Mozilla and patched in Firefox.

 

The vulnerabilities are classed as Critical and allow hackers to gain control of a system running Firefox if Firefox loads a webpage which is infected with malicious JavaScript code.

 

Mozilla has patched the vulnerability in its own products in the Firefox ESR 91.9.1, Firefox 100.0.2, FF for Android 100.3.0, and Thunderbird 91.9.1.

 

Tor Browser for Desktop and Tor Browser for Android are also affected and have similarly been patched in Tor Browser 11.0.13 .

 

Quotes

Quote

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

Quote

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

 

Quote

As part of Mozilla Foundation Security Advisory 2022-19, Firefox 100.0.2 addressed the following Critical severity vulnerabilities:

    CVE-2022-1802: Prototype pollution in Top-Level Await implementation
    CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution.

 

My thoughts

 This is scary stuff. JavaScript once again rearing it's ugly head with exploit after exploit. I guess this is why we constantly need new versions of browsers. Somewhat ironically this, at least in part, validates Apple's claims about not letting apps use 3rd party browser engines on IOS due to security reasons since if FF for IOS did use the same engine then it would also face this issue but it doesn't because of Apple's browser engine rules on IOS.

 

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/

https://www.securezoo.com/2022/05/mozilla-fixes-2-critical-vulnerabilities-in-firefox-100-0-2/

 

 

[manikyath]

9 minutes ago, AluminiumTech said:

, at least in part, validates Apple's claims about not letting apps use 3rd party browser engines on IOS due to security reasons

it would, if not for the fact that for security reasons the app itself should already be sandboxed on IOS if they are so serious about security. you can take over the browser all you want, if the browser's process cant touch anything, neither can this vulnerability.

 

i'd call this a good lesson for how running unprivileged apps in a very limiting context is good for security.

in a sense, a browser app shouldnt even need write access on it's own files aside from cache, configuration, and history.

[Vishera]

1 hour ago, AluminiumTech said:

This is scary stuff. JavaScript once again rearing it's ugly head with exploit after exploit.

I actually used JavaScript to exploit my PlayStation console,

JavaScript has a huge potential for devastating vulnerabilities.

That's why JavaScript is not safe and will never be safe.

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

 

[Doobeedoo]

Why am I not surprised it was something JS related.

[tim0901]

As an FYI: these patches were released a week ago. Unless you've disabled automatic updates (a terrible idea for your browser) you're probably good already. But still worth a check for sure.

[jagdtigger]

2 hours ago, Vishera said:

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

[sof006]

To anyone still running an older version of Firefox, what are you doing?

[WhitetailAni]

And this is why any web browser can and should be sandboxed to hell and back, then to heaven and back, then add 2000 more layers on that.

[Quackers101]

feels like it was released long ago, and did see it in the notes.

Nearly every update in patches has been related to JS or close enough.

Thought browsers wanted to be more "sandbox" like, as with some extensions for sandboxing some functions.

 

Not so nice to see, how many other doors are open unknowningly or doesn't need to be open like what type of permissions and access that a browser should ask for. which felt like it was in windows 7 era or before, or what IOS does.

[AlTech]

1 hour ago, jagdtigger said:

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

The Gecko engine also has a toggle to turn off JavaScript on an engine level in case No script doesn't work (it's a toggle in the Firefox config settings). That's assuming one wanted turn off JS entirely for their browser which admittedly some want but not most or all.

 

1 hour ago, Quackers101 said:

feels like it was released long ago, and did see it in the notes.

Nearly every update in patches has been related to JS or close enough.

Thought browsers wanted to be more "sandbox" like, as with some extensions for sandboxing some functions.

Yes, in Firefox and Chrome (iirc but correct me if I'm wrong) each tab is sandboxed and can't escape that sandbox in theory. This vulnerability manages to escape the sandbox in Firefox and that's how it allows remote JavaScript code execution and also remote control of an infected system.

1 hour ago, Quackers101 said:

Not so nice to see, how many other doors are open unknowningly or doesn't need to be open like what type of permissions and access that a browser should ask for. which felt like it was in windows 7 era or before, or what IOS does.

If Windows improved its permission model then in theory they could implement this but the same problem would then exist on Linux and macOS.

[Ultraforce]

4 hours ago, Vishera said:

I actually used JavaScript to exploit my PlayStation console,

JavaScript has a huge potential for devastating vulnerabilities.

That's why JavaScript is not safe and will never be safe.

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

 

Is it possible to make PWAs without JavaScript? Since it feels like pretty much all web apps use JavaScript.

[LWM723]

It wasn't just Firefox:
Pwn2Own 2022: Windows 11, Ubuntu, Firefox, Safari, Tesla and more hacked
https://www.ghacks.net/2022/05/21/pwn2own-2022-windows-11-ubuntu-firefox-safari-tesla-and-more-hacked/

[Quackers101]

always update is great but not always good, sometimes new features or changes open up new flaws or security holes.

as one see with some software, but I guess its easier for cloud software than local software.

unlike windows that for some reason wants to not give you the option for some reason... that it did before.

Edited May 27, 2022 by Quackers101

[Vishera]

1 hour ago, Ultraforce said:

Is it possible to make PWAs without JavaScript? Since it feels like pretty much all web apps use JavaScript.

Yes but with reduced functionality.

3 hours ago, jagdtigger said:

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

The fact that malicious payloads like this can't be patched is concerning.

Nobody wants websites to have the ability to exploit JavaScript and mine crypto currency with their hardware.

Also JavaScript is widely used for fingerprinting users and tracking user behavior - which is another malicious script that you don't want websites to use.

There should be safe guards implemented in JavaScript and in browsers to mitigate such vulnerabilities and exploits.

[TetraSky]

How and why does it even affect Thunderbird... Who browse the internet with thunderbird. Damn it. I hate updating my email client, too often they break extensions.

[AlTech]

1 hour ago, TetraSky said:

How and why does it even affect Thunderbird...

Thunderbird also uses Gecko and executes JavaScript AFAIK.

1 hour ago, TetraSky said:

Who browse the internet with thunderbird. Damn it. I hate updating my email client, too often they break extensions.

Nobody?

[MadAnt250]

12 hours ago, AluminiumTech said:

Mozilla has patched the vulnerability in its own products in the Firefox ESR 91.9.1, Firefox 100.0.2, FF for Android 100.3.0, and Thunderbird 91.9.1.

Thank god it was patched a week ago, I am another Firefox user.

[Zodiark1593]

2 hours ago, MadAnt250 said:

Thank god it was patched a week ago, I am another Firefox user.

Firefox club member reporting. 

[Mark Kaine]

21 hours ago, LWM723 said:

It wasn't just Firefox:
Pwn2Own 2022: Windows 11, Ubuntu, Firefox, Safari, Tesla and more hacked
https://www.ghacks.net/2022/05/21/pwn2own-2022-windows-11-ubuntu-firefox-safari-tesla-and-more-hacked/

Did I read that right (different article)  that they are *releasing* the vulnerabilities to the public?

Shouldn't that be kinda illegal as it will certainly put people to harm, plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

Seems really irresponsible (but i get why big companies like Microsoft etc would like that...)

 

Quote

Patches are then created and rolled out to users before more information is made publicly available.

...  i get it this might just be bad journalism at work as usual,  but they go on how "great" this is lol...

 

"more information" basically means every script kiddie will do it...

[Lightwreather]

4 minutes ago, Mark Kaine said:

Did I read that right (different article)  that they are *releasing* the vulnerabilities to the public?

Shouldn't that be kinda illegal as it will certainly put people to harm, plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

Seems really irresponsible (but i get why big companies like Microsoft etc would like that...)

Is it any different from those revealed in patch logs?

[Mark Kaine]

2 minutes ago, J-from-Nucleon said:

Is it any different from those revealed in patch logs?

well, thats the question... i hope they don't come with instructions!  UwU

 

Seriously shouldn't they just shut up about it? "fixed vulnerability in browser " is all the public needs to know!?

Edited May 28, 2022 by Mark Kaine

[Quackers101]

3 minutes ago, J-from-Nucleon said:

Is it any different from those revealed in patch logs?

also would think it depends on the issue at hand and what they reveal?

but I guess one could have some delayed response, so that people have days on them?

[AlTech]

1 hour ago, Mark Kaine said:

...  i get it this might just be bad journalism at work as usual,  but they go on how "great" this is lol...

 

"more information" basically means every script kiddie will do it...

This is how security disclosure programmes work, the discloser gives the information to the developer of the software which then asks for secrecy surrounding the issue until it has been patched. Once it is then patched the secrecy no longer applies and then the developer of the software announces the issue has been fixed in a new version and gives credit to the discloser for disclosing the vulnerability as well as whatever financial reward the disclosure programme has.

 

This is by design to avoid malicious actors from exploiting the vulnerability before it has been patched. This is standard operating procedure for disclosing vulnerabilities in many open source projects and companies.

[jagdtigger]

2 hours ago, Mark Kaine said:

"more information" basically means every script kiddie will do it...

So what? Its already patched, if someone doesnt update thats on them....

[Mark Kaine]

52 minutes ago, AluminiumTech said:

Once it is then patched the secrecy no longer applies and then the developer of the software announces the issue has been fixed in a new version and gives credit to the discloser for disclosing the vulnerability

 

29 minutes ago, jagdtigger said:

Its already patched

 

2 hours ago, Mark Kaine said:

plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

 

.

 

There is no good reason to disclose the vulnerability to "the public"