In an advisory published yesterday, Mozilla disclosed the presence of nine security flaws in Firefox 61 which have been patched in the latest release of the browser. Some of the bugs are severe, but at this time do not appear to be receiving attacks in the wild. To protect yourself as a Firefox user, ensure that you have updated Firefox to the latest version as soon as possible. To do this, click the ‘Firefox‘ menu and ‘About Firefox‘. The browser will check for an update automatically and will download the update if available. You will then be prompted to ‘Restart to update Firefox‘
In the remainder of this post, we will take a closer look at some of the notable bugs from yesterday’s update and the types of vulnerabilities they contain. To help secure the broader web community, we would like to encourage you to let your friends, family and colleagues know that they should update Firefox as soon as possible. Either share this post or drop them a helpful note.
Though the amount of detail available on each bug varies, Mozilla’s advisories contain brief descriptions and impact scores of disclosed issues. Five of the nine vulnerabilities were assigned scores of Low and Moderate and the remaining four items have been determined to be of High or Critical impact.
The Bugzilla entries for these higher-severity bugs are all private at the time of this writing, most likely to limit the spread of details on the exploitability of these flaws while the Firefox user base collectively updates their browsers.
Two bugs marked high-impact in Mozilla’s advisory, CVE-2018-12377 and CVE-2018-12378, pertain to use-after-free vulnerabilities. This type of bug exists when an application can be made to attempt to reference data stored in memory which has already been freed. In other words, in certain cases a program can be made to crash or behave abnormally if it attempts to recall information it’s already been told to forget. The “abnormal behavior” can depend on how exactly the issue was triggered in the first place, as well as what new data may have replaced whatever the application attempted to load.
In the case of these two Firefox bugs, the advisory specifies the existence of a “potentially exploitable crash”, which is common for this sort of vulnerability. No mention was made of possible remote code execution, another possible consequence of use-after-free flaws, suggesting that particular vector is not present in these cases.
Memory Safety Bugs
The other two notable issues, CVE-2018-12375 and CVE-2018-12376 (marked High and Critical-impact, respectively), have been labeled memory safety bugs. Memory safety is a fairly wide umbrella term, potentially referring to classes of vulnerability like race conditions, buffer overflows, and more, so the scope of these vulnerabilities remains to be seen. However, Mozilla’s details in the advisory entries on both of these CVEs state “Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.”
Patching Against The Theoretical
Mozilla’s statement, that they “presume” the reported memory safety bugs “could” be used to run code “with enough effort”, is an important one. Mind you, it’s not necessarily an uncommon mindset to have, but it’s worth bringing attention to it when it comes up. Patching a vulnerability that may not be feasibly exploited today is still critical in an age where technologies and techniques advance so rapidly.
This concept is of historical note, specifically in the example of CVE-2016-5195, better known as Dirty COW. Dirty COW (short for Dirty Copy-On-Write), was a major vulnerability in the Linux kernel publicly disclosed in 2017. The flaw allowed attackers with low-privilege access (such as a PHP web shell or even an unrooted Android device) to temporarily overwrite protected system files allowing a privilege escalation, up to and including root access to the affected system.
Dirty COW’s relevance in this case stems from the fact that the flaw was actually identified and patched eleven years prior, before being reverted due to compatibility issues. In a commit message from 2016, Linus Torvalds stated “…what used a purely theoretical race back then has become easier to trigger,” referring to the race condition flaw that allows Dirty COW to be exploited. Put simply, when it was discovered it would have been arbitrarily unfeasible to successfully perform the exploit on existing hardware. Thus, it was deemed low-severity enough to get buried for over a decade.
Mozilla’s decision, and similar choices made by security-conscious developers every day, benefit the community by reinforcing the mindset that a theoretical vulnerability is a vulnerability nonetheless.
Information overload aside, these aren’t issues worth worrying about for most Firefox users. As usual, performing the update (if yours hasn’t automatically patched by now) is all it takes to protect yourself from these issues. With that in mind, please take a moment to make sure your peers are aware of bugs like these. Poke your friends and coworkers and nag them to click that update button, or just share this post with them. Either way, you’ll be doing your part to make them more secure.