A new risk related to the use of web browsers has been revealed. Information security awareness experts discovered multiple security flaws in Mozilla Firefox; exploiting the most severe of these vulnerabilities would allow remote code execution in the context of a connected user.
Threat actors could install programs; view, change, or delete data and even create new administrator accounts, depending on the privileges associated with the target user. It is important to note that if a user account is configured with reduced privileges, it might be less affected than an account with administrator user privileges.
Below, information security awareness experts list the vulnerabilities found, with their respective tracking keys according to the Common Vulnerability Scoring System (CVSS).
- CVE-2020-12399: This is a time vulnerability that occurs when performing DSA signatures, which could filter private keys
- CVE-2020-12405: Use-after-free vulnerability in SharedWorkerService that causes system flaws
- CVE-2020-12406: Type confusion vulnerability that allows arbitrary code to run due to an error while deleting JavaScript objects
- CVE-2020-12407: Memory leak vulnerability in WebRender that allows a local user to access the contents of memory
- CVE-2020-12408: Identity forgery vulnerability that would allow hackers to redirect users to malicious websites
- CVE-2020-12409: Identity forgery vulnerability that would allow hackers to redirect users to malicious websites
- CVE-2020-12410: Buffer overflow vulnerability that allow arbitrary code to run due to errors in processing HTML content
- CVE-2020-12411: Buffer overflow vulnerability that allow arbitrary code to run due to errors in processing HTML content
These flaws could affect users in large and small organizations, whether public or private. Vulnerabilities can also affect business environments, information security awareness specialists mention.
Functional workarounds are currently unknown, so users are advised to apply the following security measures:
- Install Mozilla-released patches for vulnerable systems
- Run any software as a user without administrative privileges to mitigate the extent of a potential attack
- Avoid the use of untrusted websites or links to unknown sites
- Apply the Minimum Privilege Principle to all systems and services
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
