Firefox 117 Addresses 4 Memory Corruption Vulnerabilities
During its beta phase, Firefox 117 introduced an exciting new feature that was already present in other browsers – an integrated website translation engine that performs all translations locally within your web browser, keeping security in mind. Regrettably, this much-anticipated feature did not make it to the final release.
The latest release of Firefox 117 brings new exciting features and improvements, including security fixes for 13 vulnerabilities reported by security researchers.
Five High Severity Vulnerabilities Fixed
A memory corruption flaw was discovered in IPC CanvasTranslator. When mStream was initialized and received rendering data over IPC, it could have been destroyed, resulting in a use-after-free flaw that could potentially lead to an exploitable crash.
A memory corruption vulnerability was found in IPC ColorPickerShownCallback. When establishing a callback over IPC to display the Color Picker window, there was a potential issue where many of the same callbacks could have been generated simultaneously and destroyed when one of these callbacks finished. This could result in a use-after-free flaw, which in turn leads to a potentially exploitable crash.
A memory corruption vulnerability was found in IPC FilePickerShownCallback. When establishing an IPC callback to initiate the File Picker window, there was a potential for multiple identical callbacks to be generated concurrently. Subsequently, upon completing any of these callbacks, all of them could have been simultaneously destroyed. This scenario had the potential to result in a use-after-free situation, potentially leading to an exploitable crash.
A memory corruption vulnerability in JIT UpdateRegExpStatics when the function UpdateRegExpStatics attempted to access the initialStringHeap, there was a possibility that this heap had already been garbage collected before entering the function. This situation had the potential to result in an exploitable crash.
Another high-severity integer overflow vulnerability dubbed “CVE-2023-4576” was also discovered in RecordedSourceSurfaceCreation. However, this flaw only affects Firefox on Windows, leaving other operating systems unaffected.
Furthermore, eight other vulnerabilities have been reported and fixed, marked as moderate to low severity. For complete details on all security vulnerabilities patched, refer to the MFSA 2023-34.
For Linux users, the Mozilla Firefox 117 release appears to have removed the screen-sharing indicator on Wayland systems. Mozilla stated that the screen-sharing indicator faced challenges in functioning effectively on various platforms, including Wayland. Furthermore, they noted that many popular Linux desktop environments already offer their own screen-sharing indicators, which influenced their decision to remove it from Firefox.
In addition to these changes, it includes enhancements such as improved scrolling for YouTube video lists when using a screen reader and expanded support for credit card autofill in the IT, ES, AT, BE, and PL locales.
You can currently download Mozilla Firefox 117 directly from Mozilla’s download server. However, if you have Firefox installed through your distribution’s repositories, it’s advisable to wait for the official update to become available before proceeding.
The sources for this article include a story from 9to5Linux.