Mozilla has released security updates for Firefox and Thunderbird to address a total of 20 vulnerabilities, including several high-severity issues. Firefox 121 includes patches for 18 vulnerabilities, with the most critical being a WebGL heap buffer overflow bug (CVE-2023-6856) that could allow an attacker to achieve remote code execution and sandbox escape. Another notable issue is CVE-2023-6135, which pertains to rendering Network Security Services (NSS) NIST curves and is susceptible to the Minerva side-channel attack, potentially enabling the recovery of long-term private keys.
The Mozilla advisory also highlights CVE-2023-6865, a bug in EncryptingOutputStream that may expose uninitialized data, leading to potential data writes to a local disk and impacting private browsing mode. Firefox 121 addresses multiple memory safety issues collectively tracked as CVE-2023-6873 and CVE-2023-6864, with the latter also affecting Firefox ESR and Thunderbird. Additionally, the update resolves eight medium-severity flaws, including heap buffer overflow, use-after-free, and sandbox escape issues, along with five low-severity bugs. Simultaneously, Mozilla released Thunderbird 115.6 to patch 11 vulnerabilities, nine of which were also addressed in Firefox. Two high-severity flaws in Thunderbird (CVE-2023-50762 and CVE-2023-50761) could potentially allow attackers to spoof email messages and manipulate the time at which a message was sent.
Mozilla emphasizes that there is no indication of these vulnerabilities being exploited in attacks. Firefox ESR 115.6 was also released to address 11 security defects tackled by Firefox 121. These updates reinforce the importance of keeping browsers and email clients up to date to mitigate potential security risks. Users are encouraged to apply the latest patches promptly to protect against possible exploits and vulnerabilities in these widely used applications. For more detailed information, users can refer to Mozilla’s security advisories page.
