Attackers could look at two of Mozilla as “criticalClassify vulnerabilities in Firefox, Firefox ESR, Firefox for Android, and Thunderbird and, in the worst case, run your own code. Now there are protected versions.

JavaScript property in focus

The two vulnerabilities (CVE-2022-1529, CVE-2022-1802) were disclosed during the Pwn2Own hacking competition. There, one participant successfully attacked applications via prototype contamination attacks in the context of JavaScript. JavaScript works as a prototype. Newly created objects inherit the properties and methods of the object prototype. This object-based inheritance is really useful, but it can also be abused.

An attacker only needs to modify the “object” prototype to manipulate all objects and make changes to the entire application. This is exactly what the security researcher did at the competition. He then he was able to run his own JavaScript. He received a $100,000 reward for successfully exploiting the vulnerabilities.

Update now!

According to the warning messageversions Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3 and Thunderbird 91.9.1 are prepared for it.

See also:

• Firefox – download quickly and safely from heise.de
• Thunderbird: Download quickly and safely from heise.de

(from)