Mozilla exorcises five bugs on Halloween

The Mozilla Foundation yesterday issued updates for its Firefox and Thunderbird products, fixing a total of five vulnerabilities, one critical.

The most severe bug, designated CVE-2018-12390, consists of a series of memory safety bugs discovered by Mozilla developers and community members in Firefox 63, Firefox ESR 60.3 and Thunderbird 60.3. "Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code," said a Mozilla advisory.

Researchers also found a series of low-severity memory safety bugs in the same three products (CVE-2018-12389).

Three other flaws were categorized as high in severity. The first, CVE-2018-12391, allows audio data to be accessed across origins, in violation of security policies, during HTTP Live Stream playback on Firefox for Android. The second, CVE-2018-12392, is the result of poor event handling related to nesting loops, and could enable attackers to trigger a crash. And the third, CVE-2018-12393, is an out-of-bounds writer vulnerability that stems from integer overflow during Unicode conversation while loading JavaScript.

Mozilla has noted that these vulnerabilities are most risky in browser or browser-like environments, but generally cannot be exploited through email in the Thunderbird product due to disabled scripting.