Mozilla Foundation releases Firefox 84 browser, fixing several flaws & delivering performance gains & Apple processor support.
A Mozilla Foundation update to the Firefox web browser, released Tues., tackles 1 critical vulnerability & a handful of high-severity bugs. The update, released as Firefox version 84, is also billed by Mozilla as boosting the browser’s performance & adding native support for macOS hardware running on its own Apple processors.
Altogether, 6 high-severity flaws were fixed, in addition to the critical bug, tracked as CVE-2020-16042. The specific critical bug in Firefox was also highlighted earlier this month in Google’s Chrome browser security update, where it was rated as a ‘high-severity flaw.’
The Firefox & Chrome bug (CVE-2020-16042) is still not fully described by either browser maker & is only listed as a memory bug.
Mystery Bug Also Impacts Google Chrome Web Browser
Critical Attack Vector
“These are actually a critical attack vector that can be reliably exploited by hackers to launch privilege-escalation attacks in the Linux kernel,” according to 2017 research published by the Georgia Institute of Technology in the US.
The CVE was also referenced last week by Microsoft, as part of its Dec. Patch Tuesday list of bugs impacting its Edge browser version 87.0.664.57. Microsoft’s Edge browser, release in Jan. 2020, is based on Google’s open-source software project Chromium. The Chromium source code is used in Google’s Chrome browser & Microsoft’s 2020 Edge browser.
WASM & V8 Bugs
Mozilla’s Firefox browser is not Chromium based. WASM is supported in Mozilla Firefox & Apple Safari, even though both do not use Google’s V8. Some clues as to the nature of the bug can be derived by the fact the bug impacts both the Firefox and Chrome browser – the common denominator is WASM. In addition, a 2018 analysis of WASM & V8 bugs warned of possible security issues.
In 2018, Google’s Project Zero published research titled “The Problems and Promise of Web Assembly” & identified 3 vulnerabilities, which were mitigated. One future WASM threats, Google warned, was tied to Web Assembly’s garbage collector (GC) function.
Web Assembly the Culprit?
As for Google, it warned in 2018:
“Web Assembly GC is another potential feature of Web Assembly that could lead to security problems.
Currently, some uses of Web Assembly have performance problems due to the lack of higher-level memory management in Web Assembly. For example, it is difficult to implement a performant Java Virtual Machine in Web Assembly.
If Web Assembly GC is implemented, it will increase the number of applications that Web Assembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both Web Assembly engines & applications written in Web Assembly.”
At both national vulnerability database repositories, MITRE & NIST, the technical specifics of the CVE have yet to be publicly disclosed. In Google’s Dec. Security Bulletin, it noted details tied to CVE-2020-16042 & other bugs were being withheld, “until a majority of users are updated with a fix.”
It also noted that when and if bugs exist in 3rd-party code libraries used in other devices or platforms, technical details of the bugs are limited.
Credited for finding the bug is bug hunter André Bargull, who originally reported the bug on Nov. 23, says Google.
6 High-Severity Firefox Bugs
Memory issues dominated the list of high-severity bugs patched by Mozilla Tues. 2 “memory safety bugs” (CVE-2020-35114 & CVE-2020-35113) were patched. Both CVEs addressed bugs in Firefox 84 and its large-enterprise Firefox extended support release (ESR) 78.6 browser.
“Some of these bugs showed evidence of memory corruption & we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote of both bugs.
Also tied to browser memory are bugs tracked as CVE-2020-26971, CVE-2020-26972 & CVE-2020-26973, which include a heap-buffer-overflow in WebGL, use-after-free in WebGL & a CSS sanitizer performed incorrect sanitisation flaw.