Tag Archive for: firefox

Central government urges immediate action for Mozilla Firefox users amid security concerns

/in


certin, mozilla firefox, web browser, security alert, security warning, hacking attempts, hackers
Image Source : FILE Representational Image

CERT-In, the Indian Computer Emergency Response Team, has issued a security warning regarding Mozilla’s Firefox web browser. The alert mentioned potential vulnerabilities that could be exploited by hackers to access confidential user data. It’s concerning as Firefox faces not just one, but multiple security issues.

Affected Versions

  • Firefox ESR versions before 115.5.0

  • Firefox iOS versions before 120

  • Mozilla Thunderbird versions before 115.5

The Risks

The highlighted security flaws indicate the possibility of unauthorised access which poses a major threat to user security.

Protective Measures Advised by CERT-In

  1. Update Firefox Immediately: Users are strongly advised to update their Firefox browser promptly. This step is crucial in addressing and mitigating the identified security issues.

  2. Enable Automatic Updates: Ensure that automatic updates are enabled for your Firefox browser. This feature helps in keeping the browser’s security measures up-to-date.

  3. Exercise Caution with Links and Attachments: Avoid clicking on links and opening attachments from unknown senders, whether through messages or emails. This simple precaution can prevent potential security threats.

CERT-In’s Recent Alerts

In recent weeks, CERT-In has been proactive in issuing security alerts. Prior warnings included concerns about security problems in Chrome on Android and highlighted vulnerabilities in major applications developed by Adobe.

Tips to Stay Safe

Staying vigilant and taking immediate action to update software are critical steps in safeguarding against potential security breaches. As cyber threats continue to evolve, users are encouraged to follow best practices to protect their devices and sensitive information. For further details and the latest updates, users can refer to CERT-In’s official website.

ALSO READ | No charger? Check these tips to keep your iPhone alive in emergency situations

ALSO READ | Xiaomi’s HyperOS update details revealed- Is your smartphone on the…

Source…

Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack

/in


Google and Mozilla have patched the zero-day vulnerability, which originates in the libvpx library.

The words Zero Day interrupting a series of bunary zeros and ones.
Image: profit_image/Adobe Stock

Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being used by a commercial spyware vendor. The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code. Any software that uses VP8 encoding in libvpx or is based on Chromium (including Microsoft Edge) might be affected, not just Chrome or Firefox.

If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take “days/weeks” for all users to see the update. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.

Jump to:

This zero-day vulnerability originates in libvpx library

The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is widely used to encode or decode videos in the VP8 and VP9 video coding formats.

“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox team wrote in their security advisory.

From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the official Common Vulnerabilities and Exposures site.

SEE: Attackers built a fake Bitwarden password manager site to deliver malware targeting Windows (TechRepublic)

The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a security researcher at Google’s Threat Analysis Group, found the flaw on September 25, leading to a patch on September 27.

“A commercial surveillance vendor” was actively using the exploit, researcher Maddie Stone of Google’s Threat Analysis Group noted on X.

There is not a lot more information available about the zero-day exploit at this time. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company wrote in the…

Source…

Zero-Day Security Vulnerability Found in Chrome, Firefox and Other Browsers

/in


Updates are now available to patch a Chrome vulnerability that would allow attackers to run malicious code.

Closeup on the screen with depth of field and focus on the padlock.
Image: ktsdesign/Adobe Stock

It’s time to update Google Chrome, Mozilla’s Firefox or Thunderbird, Microsoft Edge, the Brave browser or Tor Browser; web development news site StackDiary has reported a zero-day vulnerability in all six browsers that could allow threat actors to execute malicious code.

Jump to:

Vulnerability originates in WebP reader

Users of the affected browsers should update to the most up-to-date version in order to ensure the zero-day vulnerability is patched on their machines. The problem isn’t with the browsers — the vulnerability originates in the WebP Codec, StackDiary discovered.

Other affected applications include:

  • Affinity.
  • Gimp.
  • Inkscape.
  • LibreOffice.
  • Telegram.
  • Many Android applications.
  • Cross-platform apps built with Flutter.

Apps built on Electron may also be affected; Electron released a patch.

Many applications use the WebP codec and libwebp library to render WebP images, StackDiary noted.

SEE: Check Point Software finds that cybersecurity attacks are coming from both the new school (AI) and the old school ( mysteriously dropped USBs). (TechRepublic) 

In more detail, a heap buffer overflow in WebP allowed attackers to perform an out-of-bounds memory write, NIST said. A heap buffer overflow allows attackers to insert malicious code by “overflowing” the amount of data in a program, StackDiary explained. Since this particular heap buffer overflow targets the codec (essentially a translator that lets a computer render WebP images), the attacker could create an image in which malicious code is embedded. From there, they could steal data or infect the computer with malware.

The vulnerability was first detected by the Apple Security Engineering and Architecture team and The Citizen Lab at The University of Toronto on September 6, StackDiary said.

What steps should users take?

Google, Mozilla, Brave, Microsoft and Tor have released security patches for this vulnerability. Individuals running those apps should update to the latest version. In the case of other applications, this is an ongoing…

Source…

You Really Need to Update Firefox and Android Right Now

/in


The Android security patch is available to Google’s Pixel devices, which have their own specific updates, and Samsung’s Galaxy range, including Samsung Galaxy Note 10, Galaxy S21, and Galaxy A73. You can check for the update in your settings.

Microsoft Patch Tuesday

Microsoft fixed a rather hefty 98 security issues in its first Patch Tuesday of the year, including an already exploited vulnerability: CVE-2023-21674 is an elevation of privilege flaw impacting the Windows Advanced Local Procedure Call that could lead to browser sandbox escape. 

By exploiting the bug, an adversary could gain System privileges, Microsoft wrote, confirming that the flaw has been detected in real-life attacks.

Another elevation of privilege vulnerability in the Windows Credential Manager User Interface, CVE-2023-21726, is relatively easy to exploit and doesn’t require any interaction from the user.

January’s Patch Tuesday also saw Microsoft fix nine Windows Kernel vulnerabilities, eight of which are elevation of privilege issues and one information disclosure vulnerability.

Mozilla Firefox

Software firm Mozilla has released important updates for its Firefox browser, the most serious of which have been the subject of a warning by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Among the 11 flaws fixed in Firefox 109 are four rated as having a high impact, including CVE-2023-23597, a logic bug in process allocation that could allow adversaries to read arbitrary files. Meanwhile, Mozilla said its security team found memory safety bugs in Firefox 108. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some could have been exploited to run arbitrary code,” it wrote.

An attacker could exploit some of these vulnerabilities to take control of an affected system, CISA said in its advisory. “CISA encourages users and administrators to review Mozilla’s security advisories for Firefox ESR 102.7 and Firefox 109 for more information and apply the necessary updates.”

VMWare

Enterprise software maker VMWare has published a security advisory detailing four flaws affecting its VMware vRealize Log Insight product. Tracked as CVE-2022-31706,…

Source…