It does not affect the latest stable Firefox 105 or SeaMonkey 2.40. Mozilla released a revised version of Firefox ESR, version 102.3, as well as Thunderbird ESR, version 102.3, to address these issues. Users can update their installations by going to Menu > Options > Help and installing the update.
Mozilla also encourages users to avoid clicking on remote content if they can, especially when downloading software, as an attacker could potentially host any content they like on the compromised system. Most importantly, Apply the appropriate updates now as a preventative measure.
Mozilla Firefox ESR and SeaMonkey 2.40 Overview
The update to Firefox and Thunderbird ESR address the following issues:
CVE-2022-40962 - Remote code execution (RCE) vulnerability in WebGL
CVE-2022-40964 - Use after free in ImageBitmap::parse()
CVE-2022-40965 - Use after free in nsFrameManager::GetPrimaryFrameByID()
CVE-2022-40966 - Fragment use after free in nsContentUtils::ReplaceOrInsertBeforeAfterFragment()
CVE-2022-40968 - Use of uninitialized value in SkiaGLContext::DrawText()
How to prevent Firefox from downloading malicious content?
If you keep your Firefox up to date, it should not be affected by these vulnerabilities. If you are not running the latest stable version of Firefox or SeaMonkey, please update now so that you don't run into a vulnerability like this in the future.
To prevent Firefox from downloading malicious content, follow the steps below:
1. Click "Customize" in the top right corner of your browser.
2. Under "Downloads", click on "Options".
3. Select "Do not allow any sites to download or install software."
Firefox ESR and Thunderbird ESR
Mozilla released two updates for Firefox and Thunderbird to address these vulnerabilities. Users can update their installations by going to Menu > Options > Help and installing the updates. Mozilla also encourages users to avoid clicking on remote content if they can, especially when downloading software, as an attacker could potentially host any content they like on the compromised system. Most importantly, Apply the appropriate updates now as a preventative measure.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:59:00 UTC
References
- https://www.mozilla.org/security/advisories/mfsa2022-42/
- https://www.mozilla.org/security/advisories/mfsa2022-41/
- https://www.mozilla.org/security/advisories/mfsa2022-40/
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1776655%2C1777574%2C1784835%2C1785109%2C1786502%2C1789440
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40962