Firefox 126 Heroically Squashes Pesky Security Bugs: Surf Safely Again!

Firefox 126 squashes pesky bugs like a superhero in a code cape! From audio gremlins to PDF.js hijinks, your browser’s now safer than a rubber duck in a kiddie pool. #SecurityVulnerabilitiesFixed 🦟💥🦆

Hot Take:

Looks like Mozilla’s been playing Whack-a-Mole with security holes, and this time they’ve hammered down a funfair of vulnerabilities ranging from “Oops, my audio’s gone loopy” to “Hey, that’s not supposed to be a font!” Brace yourselves, Firefox faithful; your browser just got a steel-plated update!

Key Points:

  • Audio input could’ve gone on a free-for-all with multiple WebRTC threads, but now it’s been reined in.
  • PDF.js thought fonts were boring, so it tried running JavaScript instead—no longer!
  • Firefox for Android had a bad case of manifest destiny, but it’s been cured with a hash diet.
  • Full-screen notifications were playing hide and seek, and clickjacking was almost as fun as stealing candy from a kid.
  • There were enough memory safety bugs to start a tiny digital zoo, but the Mozilla team has put them all on a leash.
Cve id: CVE-2024-4773
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: When a network error occurred during page load, the prior content could have remained in view with a blank URL bar. This could have been used to obfuscate a spoofed web site. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4367
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4776
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: A file dialog shown while in full-screen mode could have resulted in the window remaining disabled. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4777
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4770
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4771
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: A memory allocation check was missing which would lead to a use-after-free if the allocation failed. This could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4764
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: Multiple WebRTC threads could have claimed a newly connected audio input leading to use-after-free. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4765
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. This could have been exploited to run arbitrary code in another application's context. *This issue only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4768
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4772
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: An HTTP digest authentication nonce value was generated using `rand()` which could lead to predictable values. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4775
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: An iterator stop condition was missing when handling WASM code in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4766
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: Different techniques existed to obscure the fullscreen notification in Firefox for Android. These could have lead to potential user confusion and spoofing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126.

Cve id: CVE-2024-4767
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: If the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4769
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Cve id: CVE-2024-4774
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 05/14/2024
Cve description: The `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data members. This vulnerability affects Firefox < 126.

Need to know more?

The Sound of Security

Imagine the chaos of a karaoke party where everyone's mic gets jumbled up. That's what could've happened in Firefox's own version of The Voice, with WebRTC threads vying for the spotlight. Thankfully, Mozilla's tech maestros tuned up the code, ensuring your "Bohemian Rhapsody" solo won't turn into a duet with a stranger's podcast.

Fonts with a Twist

In a bold move that Comic Sans would be proud of, fonts in PDF.js tried to break free from their typefaces, aiming to execute arbitrary JavaScript. It's like if your printer started making coffee—it's not supposed to happen, but part of you wishes it could. Alas, this font revolution has been quelled, and order is restored in PDF land.

Manifest Mayhem on Mobile

Web application manifests in Firefox for Android were feeling a bit too hash-tagged with their insecure MD5 hash. The possibility of a hash collision was the digital equivalent of swapping name tags at a party, leading to some potentially awkward encounters. Mozilla's security bouncers have now improved the guest list protocol, ensuring everyone's name tags match their rightful apps.

Peek-a-Boo, I Spoof You

Full-screen notifications in Firefox for Android were playing a game of now-you-see-me, now-you-don't, which could have led to some spoof-tastic shenanigans. Add to that the clickjacking exploit that almost turned permission requests into a game of Simon Says, and you've got a party that needed adult supervision. Mozilla's update is like the responsible chaperone that sends the troublemakers home.

Memory Bug Roundup

Last but not least, let's talk about the memory safety bugs. These little critters were like gremlins in the system, waiting for the right moment to munch on your bytes and bits. Some could have even worn a hacker's hat with enough effort. But Mozilla's pest control—aka the Fuzzing Team—has been hard at work, squashing these bugs and fortifying the digital fortress that is Firefox.

So there you have it. If Firefox 126 were a superhero, it would be wearing a cape right now, standing triumphantly atop a pile of patched-up security threats. Update that browser, folks, and surf with the confidence of a thousand bug-free waves!

Tags: Android manifest collision, Cross-origin error handling, Firefox 126, IndexedDB privacy, memory safety bugs, PDF.js vulnerability, WebRTC security