Update to Firefox 124.0.1 and Firefox ESR 115.9.1 available

The Mozilla developers have fixed two critical security vulnerabilities with the updates Firefox 124.0.1 and Firefox ESR 115.9.1. Users of these browsers should apply the update quickly.

The according security advisory for Firefox 124.0.1 lists two critical security vulnerabilities that the new versions fix. Attackers could read or write a Javascript object outside the intended memory limits. This is said to have been achieved using a deception using a so-called Range-based bounds check elimination mechanism (CVE-2024-29943, no CVSS, risk critical according to Mozilla). Basically, this involves checking whether storage limits are being adhered to.

The second critical vulnerability also affects Javascript. Attackers were able to inject an event handler into a privileged object and thus execute arbitrary Javascript code in the parent process with high privileges (CVE-2024-29944, no CVSS, critical). This gap only affects the desktop versions of the web browsers, but in addition to Firefox 124.0 and older versions, it also affects Firefox ESR 115.9 and older. Although the security notices do not describe what attacks would actually look like, viewing carefully prepared websites is usually enough to abuse these vulnerabilities.

Only the security fixes can be found as changes in the release notes for Firefox 124.0.1. Mozilla browser users should apply the updates quickly. The easiest way to do this is to use the version dialog, which opens by clicking on the symbol with the three horizontal lines to the right of the address bar and continuing via Help – About Firefox.