Mozilla releases patches for Firefox, Thunderbird, fixing critical flaws

The Mozilla Foundation has released Firefox and Thunderbird versions October 1, 2024, addressing several security vulnerabilities, including some rated as high in severity.

While most of these flaws cannot be exploited through email (since scripting is disabled in Thunderbird when reading mail), they pose risks in browser or browser-like contexts.

• CVE-2024-9392 (CVSS score 9.8) – Impacts Firefox, Thunderbird – Compromised content process can bypass site isolation. A compromised content process could allow arbitrary loading of cross-origin pages.

• CVE-2024-9401 and CVE-2024-9402 (CVSS score 9.8) – Impacts Firefox, Thunderbird – Memory safety bugs in Thunderbird and Firefox. Various memory safety bugs that could potentially be exploited to run arbitrary code.

• CVE-2024-9400 (CVSS score 8.8) – Impacts Firefox, Thunderbird – Potential memory corruption during JIT compilation. Memory corruption may occur if an attacker triggers an out-of-memory (OOM) state during Just-In-Time (JIT) compilation.

• CVE-2024-9396 (CVSS score 8.8) – Impacts Firefox, Thunderbird – Potential memory corruption during object cloning. Possible memory corruption when cloning certain objects. It’s unclear if this is exploitable.

• CVE-2024-9393 (CVSS score 7.6) – Impacts Firefox, Thunderbird – Cross-origin access to PDF contents through multipart responses. Specially crafted multipart responses could allow arbitrary JavaScript execution under resource://pdf.js, enabling access to cross-origin PDF content.

• CVE-2024-9394 (CVSS score 7.6) – Impacts Firefox, Thunderbird – Cross-origin access to JSON contents through multipart responses. Specially crafted multipart responses could allow arbitrary JavaScript execution under resource://devtools, enabling access to cross-origin JSON content.

• CVE-2024-9403 (CVSS score 7.3) - Impacts Firefox - Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

• CVE-2024-9397 (CVSS score 4.3) – Impacts Firefox, Thunderbird – Potential directory upload bypass via clickjacking. A missing delay in the directory upload UI could allow attackers to trick users into granting permission via clickjacking.

• CVE-2024-9398 (CVSS score 4.3) – Impacts Firefox, Thunderbird – External protocol handlers could be enumerated via popups. Attackers could determine if an external protocol handler is installed by observing the results of window.open calls.

• CVE-2024-9399 (CVSS score 3.1) – Impacts Firefox, Thunderbird – Specially crafted WebTransport requests could lead to denial of service. Crafted WebTransport sessions could crash Thunderbird, leading to a denial of service condition.

Users are advised to update their Firefox, Thunderbird and Firefox based browsers.