High-severity bugs patched in Chrome, Firefox browsers
Various security fixes have been introduced by Google for the desktop edition of its Chrome browser and Mozilla has also done the same for Firefox and Firefox Extended Support Release. Mozilla Firefox ESR is a version of the web browser which is intended to be deployed in large organizations. Critical vulnerabilities and a high severity bug is being reported in both which could allow for arbitrary code execution.
Highest risk for vulnerabilities is faced by the Users with an operating system that allows for greater privileges (e.g., administrator privileges). According to MS-ISAC, the Center for Internet Security depending on the privileges associated, “an attacker could then install programs; view, change or delete data; or create new accounts with full user rights."
Google’s stable channel update to version 83.0.4103.97 for Windows, Mac, and Linux has patched six bugs, four of which were rated high in severity. The most significant of the bunch, CVE-2020-6493 is use after-free-flaw in Web Authentication that earned a US$ 20,000 (£17,500) bug bounty for an anonymous researcher.
There were three other fixed high-severity bugs that were described as an incorrect security user interface in payments, insufficient policy enforcement in developer tools, and a use-after-free vulnerability in payments.
Meanwhile, Mozilla has introduced fixes for eight bugs found across Firefox (fixed in version 77) and Firefox ESR (fixed in version 68.9) — all eight of which exist in the former. Five of the bugs are rated high in severity and, depending on the issue, can lead to the leaking of private keys, an exploitable crash or arbitrary code execution.
Mozilla also released Thunderbird version 68.9.0, fixing five bugs in the email client products — four of the same vulnerabilities found in the browsers, plus its own high-level vulnerability that could lead to information leakage.
- Large and medium government entities: HIGH
- Small government entities: MEDIUM
- Large and medium business entities: HIGH
- Small business entities: MEDIUM
We recommend the following actions be taken:
- Appropriate updates to be applied directed by Mozilla to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) in order to diminish the effects of a successful attack.
- Remind the users not to visit un-trusted websites or follow any links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats which are posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.