CVE-2022-2505 Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

There are no workarounds at this time. We recommend blocking the affected version numbers until a new version with fixes is released.

An attacker could host a malicious website that is loaded with network traffic. If a user was running an affected version of Firefox or Thunderbird with browsing data enabled, and visited this malicious site, it could be possible to run arbitrary code as the user.

END

A total of 4 security issues were reported in this release. Some of these issues were also fixed in the previous release.
In addition to the fixes for security issues, this release also includes performance improvements where possible and fixes for several known regressions.
There are no known critical issues at this time.

An uninitialized variable in libxul.dll was fixed that could be used to possibly execute code as the user.

An issue with the session restore feature was fixed that prevented the “Restore session” button from functioning as expected.

An issue with the installation of add-ons from non-certified sources that affected users who had installed an older version of Firefox or Thunderbird was fixed.

An issue with the Mozilla Updater that caused it to stop working as expected when upgrading to Firefox or Thunderbird was fixed.

An issue with the way proxies were handled that could have prevented some proxies from being set up was fixed.

An issue with the way Firefox and Thunderbird handle proxy settings that could have caused

What is new in Firefox 52.0?

An issue with the way Firefox handles proxy settings that could have caused a crash when visiting certain sites was fixed.

An issue with the way Firefox and Thunderbird handle proxy settings that could have caused a crash when visiting certain sites was fixed.

An issue with the way Firefox and Thunderbird handled proxy settings that could have prevented users from using some proxies or prevented them from being set up was fixed.

What to do if you are vulnerable to CVE-2015-2705

1) The browser will automatically update to Firefox/Thunderbird 3.2 or later, if your current version is below 3.2.
2) You should manually update to one of the above versions of Firefox/Thunderbird and run a browser restart afterwards.
3) You can remove your add-ons from this malicious website and then disable the “Allow plug-ins to install” option in Firefox/Thunderbird until you get an updated version with fixes for these 4 security issues.

Installation notes for developers

A total of 1 security issue was reported in this release. Some of these issues were also fixed in the previous release.
In addition to the fixes for security issues, this release also includes performance improvements where possible and fixes for several known regressions.
There are no known critical issues at this time.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 21:04:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-30/
• https://www.mozilla.org/security/advisories/mfsa2022-32/
• https://www.mozilla.org/security/advisories/mfsa2022-28/
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=1769739%2C1772824
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2505