Firefox, Thunderbird and Tor Browser get security updates

Attackers could break out of the Firefox sandbox. The developers have closed other gaps.

Mozilla's Firefox, Firefox ESR, Thunderbird and the Firefox ESR-based anonymizing web browser Tor are vulnerable. Attackers could crash the browsers or even breach the sandbox.

The developer has listed information about the current releases and vulnerabilities in the security section of their website. The following versions have the latest security updates:

• Firefox 116
• Firefox ESR 102.14
• Firefox ESR 115.1
• Thunderbird 102.14
• Thunderbird 115.1
• Tor Browser 12.5.2

The fixed vulnerabilities

The applications are affected by identical vulnerabilities. Overall, Mozilla classifies the level of threat as high. In situations with little memory, attackers can cause crashes by parsing certain HTML code (CVE-2023-4048 high). Through a bug (CVE-2023-4047 high) and a resulting delay in the display of pop-up notifications, attackers can trick victims into granting them higher privileges.

A vulnerability (CVE-2023-4050 high) in the StorageManager could be particularly dangerous. At this point, under certain conditions, it is conceivable that untrusted data could end up in memory, resulting in a crash. In the course of this, attackers can break out of the sandbox. This protective layer separates the browser from the operating system. If attackers get past them, the entire system is usually at risk.

Tor Browser is based on Firefox ESR and is designed to protect privacy and anonymity while surfing. As can be seen from a recent article, the developers have given the browser other updates in addition to the secure Firefox ESR version. For example, they updated the NoScript extension (11.4.26) and translations.