Multiple vulnerabilities in Mozilla products could allow execution of arbitrary code

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended for deployment in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow arbitrary code execution in the context of the logged-on user. Depending on the user's privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

There are no reports of these vulnerabilities being exploited in the wild.

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow arbitrary code execution. Details of the most critical vulnerabilities are as follows:

Tactical: Initial access (TA0001):
Technical: Compromise at the wheel (T1189):

• Type confusion when looking up a property name in a “with” block (CVE-2024-8381)
• WASM type confusion involving ArrayTypes (CVE-2024-8385)
• Fixed memory safety bugs in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2 (CVE-2024-8387)
• Fix memory safety bugs in Firefox 130 (CVE-2024-8389)

Additional lower severity vulnerabilities include:

• Internal event interfaces were exposed to web content when browser event handler listener callbacks were executed (CVE-2024-8382)
• Firefox did not ask for a response before opening What's New: Links in an External Application (CVE-2024-8383)
• Garbage collection may cause cross-compartment objects to be incorrectly colored under OOM conditions (CVE-2024-8384)
• SelectElements could be displayed on another site if pop-ups are allowed (CVE-2024-8386)
• A full-screen notice on Android could be hidden under various OS panels and prompts (CVE-2024-8388)

Successful exploitation of the most severe of these vulnerabilities could allow arbitrary code execution in the context of the logged-on user. Depending on the user's privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend taking the following measures:

• Apply the stable channel update provided by Mozilla to vulnerable systems immediately after appropriate testing.M1051:Software Update)
  • Safeguard 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant changes in the business may impact this safeguard.
  • Safeguard 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
  • Safeguard 7.5: Perform automated vulnerability scans of internal enterprise assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis. Perform authenticated and unauthenticated scans using a SCAP-enabled vulnerability scanning tool.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to reduce the effects of a successful attack.M1026:Management of privileged accounts)
  • Safeguard 4.7: Manage default accounts on company assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Implementation examples may include: disabling default accounts or preventing them from being used.
  • Safeguard 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as Internet browsing, email, and productivity suite use, from users' primary, non-privileged accounts.
• Use features to detect and block conditions that may lead to or indicate that software exploitation is occurring.M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploit Features: Enable anti-exploitation features on enterprise assets and software where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG), or Apple System Integrity Protection (SIP) and Gatekeeper.
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict web content)
  • Security Measure 9.2: Use DNS Filtering Services: Use DNS filtering services on all corporate assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and apply network-based URL filters: Apply and update network-based URL filters to prevent an enterprise asset from connecting to potentially malicious or untrusted websites. Implementation examples include category-based filtering, reputation-based filtering, or using blocklists. Apply filters for all enterprise assets.
  • Safeguard 9.6: Block unnecessary file types: Block unnecessary file types that try to enter the corporate email gateway.
• Block code execution on a system via application control and/or script blocking.M1038: Prevention of execution)
  • Protective measure 2.5: Whitelist of authorized software: Use technical controls, such as application whitelisting, to ensure that only authorized software can run or be accessed. Reassess them twice a year or more frequently.
  • Safeguard 2.6: Whitelist authorized libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Prevent unauthorized libraries from being loaded into a system process. Re-evaluate them twice a year or more frequently.
  • Safeguard 2.7: Add allowed scripts to whitelist: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to run. Block unauthorized scripts from running. Re-evaluate twice a year or more frequently.
• Use features to prevent suspicious behavior from occurring on endpoint systems. This could be suspicious behavior related to processes, files, API calls, etc.M1040: Prevention of behaviors on terminals)
  • Safeguard 13.2: Deploy a host-based intrusion detection solution: Deploy a host-based intrusion detection solution on enterprise assets where appropriate and/or supported.
  • Safeguard 13.7: Deploying a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, if applicable and/or supported. Examples of implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.
• Inform and educate users about the threats posed by hyperlinks contained in emails or attachments, especially those from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.M1017: User training)
  • Safeguard 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Provide training upon hire and, at a minimum, annually. Review and update the content annually or when significant changes to the business may impact this safeguard.
  • Safeguard 14.2: Train staff to recognize social engineering attacks: Train staff to recognize social engineering attacks, such as phishing, pretexting, and tailgating.