Surf Safely: Firefox 128 Squashes High-Impact Security Bugs!

Firefox 128 Squashes Bugs: Tapjacking, Clipboard Chaos, and Full-Screen Phishing Foiled! Stay safe, update, and avoid digital drama.

Hot Take:

Firefox just patched up more holes than a street after a kids’ jackhammer birthday party. And let me tell you, some of these bugs were sneakier than a cat burglar on a velvet ladder. Get ready to update your browsers, folks, because it’s patch o’clock!

Key Points:

  • Firefox 128 squashes a creepy-crawly collection of security bugs, with some having the potential to allow pesky programmers to run amok in your system.
  • Tapjacking in Android, memory corruption, and clipboard peepers are just the appetizers on this bug buffet.
  • Pointers running wild, full-screen mode hostage situations, and cookie capers are part of the digital drama.
  • A race condition that’s more like an Olympic sprint for permissions might have left your data waving from the starting line.
  • Memory safety bugs that are like finding out your house was built on a sinkhole – now thankfully filled in with solid updates.
Cve id: CVE-2024-6607
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6600
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.

Cve id: CVE-2024-6601
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.

Cve id: CVE-2024-6614
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6602
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.

Cve id: CVE-2024-6604
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.

Cve id: CVE-2024-6612
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6608
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6605
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6603
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.

Cve id: CVE-2024-6613
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6610
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6609
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6611
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128.

Cve id: CVE-2024-6606
Cve state: PUBLISHED
Cve assigner short name: mozilla
Cve date updated: 07/09/2024
Cve description: Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. This vulnerability affects Firefox < 128.

Need to know more?

Tapping into Trouble

First up on the hit list is the tapjacking terror, CVE-2024-6605, where Firefox Android played too nice with permission prompts. The result? A potential digital "Whack-A-Mole" where you tap and hackers win prizes.

Out-of-Bounds and Out of Control

Clipboard aficionados beware, CVE-2024-6606 revealed an out-of-bounds read that's about as safe as reading a book while juggling chainsaws. Not advised.

Escape Key, The Great Houdini

Then we have CVE-2024-6607 and CVE-2024-6608, where the Escape key got stage fright and refused to leave the show. This act could trap users in pointerlock purgatory or let cursors escape the viewport like a mouse from a cat.

Memory Mayhem

Memory corruption, the classic villain, rears its head multiple times. CVE-2024-6609, CVE-2024-6600, CVE-2024-6602, and CVE-2024-6603 all tell tales of memory mishaps that could make your browser's thoughts as scrambled as eggs at a diner.

Permission Slip-ups

Got a need for speed? CVE-2024-6601 showcases a race condition that could give out permissions like candy on Halloween. Sweet for trick-or-treaters, not so much for your online security.

Cookie Monster's Less-Known Cousin

Over in the cookie jar, CVE-2024-6611 found a way for those SameSite=Strict or Lax cookies to hitch a ride on cross-site navigations. Who knew iframes could be cookie smugglers?

DevTools or DevFools?

And for the developers in the house, CVE-2024-6612 exposed that even the tools meant to keep us safe can have loose lips, with CSP violations gossiping about their existence through DNS prefetches.

WASM Woes

Lastly, CVE-2024-6613 and CVE-2024-6614 had the frame iterator in a loop, spinning around like a dog chasing its tail, all thanks to some pesky wasm frames.

Memory Safety Wrap-up

Cap it all off with a grand finale, CVE-2024-6604, where a plethora of memory safety bugs got squished. It's like the digital equivalent of a monster truck rally on Bug Hill - crushing those memory bugs into oblivion.

So there you have it, folks. If you're using Firefox, it's time to embrace change and hit that update button faster than a kid who just heard the ice cream truck. Stay safe out there in the cyber jungle!

Tags: Firefox 128, memory corruption, Mozilla Security Advisory, Out-of-Bounds Read, SameSite Cookies, security vulnerabilities, vulnerability patch