Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Critical vulnerabilities found in Firefox allow hackers to gain control of infected systems | Patch now!

 Share

Summary

It is understood that recently at a hackathon event in Vancouver, Canada longtime hackathon attendee, Manfred Paul, showed off 2 vulnerabilities in Firefox that have since been reported to Mozilla and patched in Firefox.

 

The vulnerabilities are classed as Critical and allow hackers to gain control of a system running Firefox if Firefox loads a webpage which is infected with malicious JavaScript code.

 

Mozilla has patched the vulnerability in its own products in the Firefox ESR 91.9.1, Firefox 100.0.2, FF for Android 100.3.0, and Thunderbird 91.9.1.

 

Tor Browser for Desktop and Tor Browser for Android are also affected and have similarly been patched in Tor Browser 11.0.13 .

 

Quotes

Quote

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.

Quote

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

 

Quote

As part of Mozilla Foundation Security Advisory 2022-19, Firefox 100.0.2 addressed the following Critical severity vulnerabilities:

    CVE-2022-1802: Prototype pollution in Top-Level Await implementation
    CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution.

 

My thoughts

 This is scary stuff. JavaScript once again rearing it's ugly head with exploit after exploit. I guess this is why we constantly need new versions of browsers. Somewhat ironically this, at least in part, validates Apple's claims about not letting apps use 3rd party browser engines on IOS due to security reasons since if FF for IOS did use the same engine then it would also face this issue but it doesn't because of Apple's browser engine rules on IOS.

 

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/

https://www.securezoo.com/2022/05/mozilla-fixes-2-critical-vulnerabilities-in-firefox-100-0-2/

 

 

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill

Oneplus 7T (Mid 2021 to present), HP Envy 15" x360 R7 5700U (Mid 2021 to present)

Samaritan XTXH (Early 2021 Upgrade - AMD Ryzen 9 3900XT (12C/24T)  (2021) , MSI X370 Gaming Pro Carbon, Corsair 32GB Vengeance LPX DDR4-2666 (2020) ,  AMD Radeon RX 6700XT 12GB (Mid 2021), Corsair RM850i PSU, Noctua NH-D15 CPU Cooler (2021), Samsung 860 EVO 500GB SSD, Seagate BarraCuda 6TB HDD (2020) , NZXT S340 Elite, Corsair ML 120 Pro, Corsair ML120 x2 (2021)

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, AluminiumTech said:

, at least in part, validates Apple's claims about not letting apps use 3rd party browser engines on IOS due to security reasons

it would, if not for the fact that for security reasons the app itself should already be sandboxed on IOS if they are so serious about security. you can take over the browser all you want, if the browser's process cant touch anything, neither can this vulnerability.

 

i'd call this a good lesson for how running unprivileged apps in a very limiting context is good for security.

in a sense, a browser app shouldnt even need write access on it's own files aside from cache, configuration, and history.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, AluminiumTech said:

This is scary stuff. JavaScript once again rearing it's ugly head with exploit after exploit.

I actually used JavaScript to exploit my PlayStation console,

JavaScript has a huge potential for devastating vulnerabilities.

That's why JavaScript is not safe and will never be safe.

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

 

A PC Enthusiast since 2011
AMD Ryzen 5 2600@4.1GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R15: 1349cb | Unigine Superposition 1080p Extreme: 3566
Link to comment
Share on other sites

Link to post
Share on other sites

Why am I not surprised it was something JS related.

Ryzen 7 3800X | X570 Aorus Elite | G.Skill 16GB 3200MHz C16 | Radeon RX 5700 XT | Samsung 850 PRO 256GB |Mousepad: Skypad 3.0 XL | Mouse: Zowie S1-C |Keyboard: Corsair K63 MX red | OS: Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

As an FYI: these patches were released a week ago. Unless you've disabled automatic updates (a terrible idea for your browser) you're probably good already. But still worth a check for sure.

My PCs:

Quote

Timothy: 

i7 4790k

16GB Corsair Vengeance DDR3

ASUS GTX 1060 6GB

Corsair Carbide 300R

 

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Vishera said:

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

Link to comment
Share on other sites

Link to post
Share on other sites

To anyone still running an older version of Firefox, what are you doing?

System Specs:

CPU: Ryzen 7 5800X

GPU: Gigabyte RTX 3080 Gaming OC

RAM: 32GB 3600MHz

HDD: 1TB Sabrent NVMe -  WD 1TB Black - WD 2TB Green -  WD 4TB Blue

MB: Gigabyte  B550 Gaming X- RGB Disabled

PSU: ThermalTake 750W Smart BX1 - RGB Disabled

Case: BeQuiet! Silent Base 801 Black

Cooler: DeepCool Castle 360EX

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

And this is why any web browser can and should be sandboxed to hell and back, then to heaven and back, then add 2000 more layers on that.

REFRESH BEFORE RESPOND, I EDITED MY POST

 

 

Likes animals (especially ducks)

 

PSA: Don't lie

 

I own a lot of iDevices.

iPhone3,1 = iPhone 4 (GSM) (Black) = 16GB, iOS 5.1.1 (unlocked)

iPhone3,3 = iPhone 4 (CDMA) (Black) = 16GB, iOS 4.2.6 (locked to Verizon)

iPhone4,1 = iPhone 4S (Black) = 16GB, iOS 9.2.1 (unlocked)

iPad2,5 = iPad mini 1 (Silver) = 6GB, iOS 8.4.1 + 10GB, 6.1.3 (WiFi only)

iPhone5,3 = iPhone 5C (GSM) (Blue) = 32GB, iOS 10.3.3 (locked to AT&T)

iPhone6,1 = iPhone 5S (GSM) (Space Gray) = 16GB, iOS 10.3.3 (locked to TracFone)

iPhone6,1 = iPhone 5S (GSM) (Silver) = 16GB, iOS 11.0.1 (locked to TracFone)

iPhone7,2 = iPhone 6 (Silver) = 16GB, iOS 8.3

iPhone8,1 = iPhone 6S (Space Gray) N71AP = 16GB, iOS 15.0.2 (unlocked)

iPhone9,1 = iPhone 7 (Global) (Midnight Star) = 256GB, iOS 15.1 (unlocked)

Link to comment
Share on other sites

Link to post
Share on other sites

feels like it was released long ago, and did see it in the notes.

Nearly every update in patches has been related to JS or close enough.

Thought browsers wanted to be more "sandbox" like, as with some extensions for sandboxing some functions.

 

Not so nice to see, how many other doors are open unknowningly or doesn't need to be open like what type of permissions and access that a browser should ask for. which felt like it was in windows 7 era or before, or what IOS does.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, jagdtigger said:

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

The Gecko engine also has a toggle to turn off JavaScript on an engine level in case No script doesn't work (it's a toggle in the Firefox config settings). That's assuming one wanted turn off JS entirely for their browser which admittedly some want but not most or all.

 

1 hour ago, Quackers101 said:

feels like it was released long ago, and did see it in the notes.

Nearly every update in patches has been related to JS or close enough.

Thought browsers wanted to be more "sandbox" like, as with some extensions for sandboxing some functions.

Yes, in Firefox and Chrome (iirc but correct me if I'm wrong) each tab is sandboxed and can't escape that sandbox in theory. This vulnerability manages to escape the sandbox in Firefox and that's how it allows remote JavaScript code execution and also remote control of an infected system.

1 hour ago, Quackers101 said:

Not so nice to see, how many other doors are open unknowningly or doesn't need to be open like what type of permissions and access that a browser should ask for. which felt like it was in windows 7 era or before, or what IOS does.

If Windows improved its permission model then in theory they could implement this but the same problem would then exist on Linux and macOS.

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill

Oneplus 7T (Mid 2021 to present), HP Envy 15" x360 R7 5700U (Mid 2021 to present)

Samaritan XTXH (Early 2021 Upgrade - AMD Ryzen 9 3900XT (12C/24T)  (2021) , MSI X370 Gaming Pro Carbon, Corsair 32GB Vengeance LPX DDR4-2666 (2020) ,  AMD Radeon RX 6700XT 12GB (Mid 2021), Corsair RM850i PSU, Noctua NH-D15 CPU Cooler (2021), Samsung 860 EVO 500GB SSD, Seagate BarraCuda 6TB HDD (2020) , NZXT S340 Elite, Corsair ML 120 Pro, Corsair ML120 x2 (2021)

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Vishera said:

I actually used JavaScript to exploit my PlayStation console,

JavaScript has a huge potential for devastating vulnerabilities.

That's why JavaScript is not safe and will never be safe.

I don't know if it was patched but JavaScript can be used to mine crypto currency using the devices of those visiting your website.

 

Is it possible to make PWAs without JavaScript? Since it feels like pretty much all web apps use JavaScript.

Link to comment
Share on other sites

Link to post
Share on other sites

It wasn't just Firefox:
Pwn2Own 2022: Windows 11, Ubuntu, Firefox, Safari, Tesla and more hacked
https://www.ghacks.net/2022/05/21/pwn2own-2022-windows-11-ubuntu-firefox-safari-tesla-and-more-hacked/
Link to comment
Share on other sites

Link to post
Share on other sites

Posted (edited)

always update is great but not always good, sometimes new features or changes open up new flaws or security holes.

as one see with some software, but I guess its easier for cloud software than local software.

unlike windows that for some reason wants to not give you the option for some reason... that it did before.

Edited by Quackers101
Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Ultraforce said:

Is it possible to make PWAs without JavaScript? Since it feels like pretty much all web apps use JavaScript.

Yes but with reduced functionality.

3 hours ago, jagdtigger said:

Those use legitimate functions in JS so i dont think there is anything to patch, you either use an adblocker or NoScript.....

The fact that malicious payloads like this can't be patched is concerning.

Nobody wants websites to have the ability to exploit JavaScript and mine crypto currency with their hardware.

Also JavaScript is widely used for fingerprinting users and tracking user behavior - which is another malicious script that you don't want websites to use.

There should be safe guards implemented in JavaScript and in browsers to mitigate such vulnerabilities and exploits.

A PC Enthusiast since 2011
AMD Ryzen 5 2600@4.1GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R15: 1349cb | Unigine Superposition 1080p Extreme: 3566
Link to comment
Share on other sites

Link to post
Share on other sites

How and why does it even affect Thunderbird... Who browse the internet with thunderbird. Damn it. I hate updating my email client, too often they break extensions.

CPU: AMD Ryzen 3600 / GPU: Radeon HD7970 GHz 3GB with Noctua Fans / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, TetraSky said:

How and why does it even affect Thunderbird...

Thunderbird also uses Gecko and executes JavaScript AFAIK.

1 hour ago, TetraSky said:

Who browse the internet with thunderbird. Damn it. I hate updating my email client, too often they break extensions.

Nobody?

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill

Oneplus 7T (Mid 2021 to present), HP Envy 15" x360 R7 5700U (Mid 2021 to present)

Samaritan XTXH (Early 2021 Upgrade - AMD Ryzen 9 3900XT (12C/24T)  (2021) , MSI X370 Gaming Pro Carbon, Corsair 32GB Vengeance LPX DDR4-2666 (2020) ,  AMD Radeon RX 6700XT 12GB (Mid 2021), Corsair RM850i PSU, Noctua NH-D15 CPU Cooler (2021), Samsung 860 EVO 500GB SSD, Seagate BarraCuda 6TB HDD (2020) , NZXT S340 Elite, Corsair ML 120 Pro, Corsair ML120 x2 (2021)

Link to comment
Share on other sites

Link to post
Share on other sites

12 hours ago, AluminiumTech said:

Mozilla has patched the vulnerability in its own products in the Firefox ESR 91.9.1, Firefox 100.0.2, FF for Android 100.3.0, and Thunderbird 91.9.1.

Thank god it was patched a week ago, I am another Firefox user.

Gaming With a 4:3 CRT

System specs below

 

CPU: AMD Ryzen 5 2600X with a Noctua NH-U9S cooler 
Motherboard: Gigabyte B450 Aorus M (Because it was cheap)
RAM: 16GB (2 x 8GB) of DDR4 GEIL Evo Potenza, OC to 3200Mhz
GPU: EVGA GTX 980 Ti SC Blower Card
HDD: 7200RPM TOSHIBA DT01ACA100 1TB, External HDD: 5400RPM 2TB WD My Passport
SSD: NONE, eveything works fine, no need to upgrade, stop telling me I need an SSD. Ok, things be slow sometimes.
PSU: Corsair CX650M
Displays: ViewSonic VA2012WB LCD 1680x1050p @ 75Hz
Gateway VX920 CRT: 1920x1440@65Hz, 1600x1200@75Hz, 1200x900@100Hz, 960x720@125Hz
Gateway VX900 CRT: 1920x1440@64Hz, 1600x1200@75Hz, 1200x900@100Hz, 960x720@120Hz (Can be pushed to 175Hz)
(Yes, I use a CRT and I prefer gaming on one)
 
Cooling: Grill with filter installed onto the front panel for air intake cooling with a 120mm Corsair ML120 fan and an old recycled 92mm cooler master(forgot model) fan for exhaust.
 
Keyboard: Thermaltake eSPORTS MEKA PRO with Cherry MX Red switches
Link to comment
Share on other sites

Link to post
Share on other sites

21 hours ago, LWM723 said:

It wasn't just Firefox:
Pwn2Own 2022: Windows 11, Ubuntu, Firefox, Safari, Tesla and more hacked
https://www.ghacks.net/2022/05/21/pwn2own-2022-windows-11-ubuntu-firefox-safari-tesla-and-more-hacked/

Did I read that right (different article)  that they are *releasing* the vulnerabilities to the public?

Shouldn't that be kinda illegal as it will certainly put people to harm, plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

Seems really irresponsible (but i get why big companies like Microsoft etc would like that...)

 

Quote

Patches are then created and rolled out to users before more information is made publicly available.

...  i get it this might just be bad journalism at work as usual,  but they go on how "great" this is lol...

 

"more information" basically means every script kiddie will do it... 🤦‍♀️

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, Mark Kaine said:

Did I read that right (different article)  that they are *releasing* the vulnerabilities to the public?

Shouldn't that be kinda illegal as it will certainly put people to harm, plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

Seems really irresponsible (but i get why big companies like Microsoft etc would like that...)

Is it any different from those revealed in patch logs?

If you think I'm wrong, correct me. If I've offended you in some way tell me what it is and how I can correct it. I want to learn, and along the way one can make mistakes; Being wrong helps you learn what's right.

Link to comment
Share on other sites

Link to post
Share on other sites

Posted (edited)
2 minutes ago, J-from-Nucleon said:

Is it any different from those revealed in patch logs?

well, thats the question... i hope they don't come with instructions!  UwU

 

Seriously shouldn't they just shut up about it? "fixed vulnerability in browser " is all the public needs to know!?

Edited by Mark Kaine

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, J-from-Nucleon said:

Is it any different from those revealed in patch logs?

also would think it depends on the issue at hand and what they reveal?

but I guess one could have some delayed response, so that people have days on them?

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Mark Kaine said:

...  i get it this might just be bad journalism at work as usual,  but they go on how "great" this is lol...

 

"more information" basically means every script kiddie will do it... 🤦‍♀️

This is how security disclosure programmes work, the discloser gives the information to the developer of the software which then asks for secrecy surrounding the issue until it has been patched. Once it is then patched the secrecy no longer applies and then the developer of the software announces the issue has been fixed in a new version and gives credit to the discloser for disclosing the vulnerability as well as whatever financial reward the disclosure programme has.

 

This is by design to avoid malicious actors from exploiting the vulnerability before it has been patched. This is standard operating procedure for disclosing vulnerabilities in many open source projects and companies.

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill

Oneplus 7T (Mid 2021 to present), HP Envy 15" x360 R7 5700U (Mid 2021 to present)

Samaritan XTXH (Early 2021 Upgrade - AMD Ryzen 9 3900XT (12C/24T)  (2021) , MSI X370 Gaming Pro Carbon, Corsair 32GB Vengeance LPX DDR4-2666 (2020) ,  AMD Radeon RX 6700XT 12GB (Mid 2021), Corsair RM850i PSU, Noctua NH-D15 CPU Cooler (2021), Samsung 860 EVO 500GB SSD, Seagate BarraCuda 6TB HDD (2020) , NZXT S340 Elite, Corsair ML 120 Pro, Corsair ML120 x2 (2021)

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Mark Kaine said:

"more information" basically means every script kiddie will do it... 🤦‍♀️

So what? Its already patched, if someone doesnt update thats on them....

Link to comment
Share on other sites

Link to post
Share on other sites

52 minutes ago, AluminiumTech said:

Once it is then patched the secrecy no longer applies and then the developer of the software announces the issue has been fixed in a new version and gives credit to the discloser for disclosing the vulnerability

 

29 minutes ago, jagdtigger said:

Its already patched

 

2 hours ago, Mark Kaine said:

plus just because it can be patched doesn't mean all variants can be patched (see spectre etc) 

 

.

 

There is no good reason to disclose the vulnerability to "the public" 

 

 

 

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×