If an attacker could force a specific Garbage Collector state, then they could run arbitrary code as the Garbage Collector user. We’ve now fixed the issues through the following mitigations: Developers now have to explicitly annotate memory allocations with their type. This limits the potential attack surface, making it harder for an attacker to exploit this vulnerability.
We’ve enabled ExtraVerification on all the TLS sockets that are used by the browser, making it harder for an attacker to exploit this vulnerability by forcing a specific TLS state.
We’ve hardened our code against a specific type of attack that was possible in the previously described situation.
References: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Known_vulnerabilities
https://bugzilla.mozilla.org/show_bug.cgi?id=1094472
https://bugzilla.mozilla.org/show_bug.cgi?id=1092106
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 02:51:00 UTC