Mozilla has issued a critical patch for Firefox, Firefox ESR, and Thunderbird after a security issue was discovered at the Tianfu Cup 2020 International Cybersecurity Contest

The security issue has been assigned CVE-2020-26950 which has the “reserved” status. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) list—a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

What is the problem that’s being fixed?

The description Mozilla published itself reveals that write side effects in MCallGetProperty opcode were not accounted for. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition.

Use-after-free is a naming convention for vulnerabilities related to the incorrect use of dynamic memory during an operation by a program. It means that after freeing a memory location, a program does not clear the pointer to that memory, which could allow an attacker to abuse the error and launch a buffer overflow attack. In a “worst case” scenario this could allow for a remote code execution (RCE) attack, but whether that is true in this case is unknown at the moment.

Which versions are vulnerable?

Make sure you are on the latest versions of the following:

  • Firefox should be updated to version 82.0.3 or later
  • Firefox ESR (Extended Support Release) should be updated to version 78.4.1 or later
  • Thunderbird should be updated to 78.4.2

Firefox Extended Support Release (ESR) is a version of the popular browser for large organizations that need to deploy and maintain Firefox at a large scale. It does not have all the latest functions, to limit the number of updates, but it does receive security and stability updates.

How do I check my version and update?

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available.

Version screen Firefox

The screens and the way to access are largely the same for all the Mozilla programs, so we will only show the Firefox example.

After the update you should see a screen similar to this:

The next stable version of Firefox will be released on November 17, 2020.

Stay safe, everyone!