Mozilla has published updates for two critical security issues in Firefox and Thunderbird, demonstrated during Pwn2Own Vancouver. The vulnerabilities, discovered in the Firefox JavaScript engine (shared by the Firefox-based Tor browser) relate to Firefox 100.0.2, Firefox for Android 100.3.0, and Firefox ESR 91.9.1. For users of Thunderbird, the vulnerability there is in relation to Thunderbird 91.9.91.
Additionally, there is some fallout beyond the standard versions of Firefox and Thunderbird. Users of the anti-surveillance Tails Operating Systemhave been warned to stop using the bundled Tor browser until a fix goes live. This is because it could be potentially vulnerableto CVE-2022-1802:
This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.
For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.
This vulnerability doesn’t break the anonymity and encryption of Tor connections.
The fix for this Tails issue may not be seen until at least version 5.1. At time of writing, the expected release date for this is May 31.
The vulnerabilities
The two issuescome with the following description:
CVE-2022-1802is a critical prototype pollution vulnerability. According to Mozilla, an attacker who was able to corrupt the methods of an Array object in JavaScript via prototype pollution, could have executed malicious JavaScript code in a privileged context.
CVE-2022-1529is another critical prototype pollution vulnerability. In this case, Mozilla says that untrusted user input was used in object indexing, leading to prototype pollution, which could have allowed an attacker to execute malicious JavaScript code in a privileged context.
Update now, if you haven’t already
Most installations of Thunderbird and Firefox will be set to update by default. If this is the case, you should already have the security fixes applied and you have nothing to worry about.
This isn’t the case for all installations, however. If you don’thave Firefox or Thunderbird set to update automatically, the fix won’t be present. As a result, you’ll need to manually apply the update.
In Firefox, navigate to Settingsand then click General> Firefox Updates.
From here, select the most suitable option from Allow Firefox to:
- Automatically install updates
- Check for updates but let you choose to install them.
The update process for Thunderbird is much the same as Firefox. By default, it’s set to update manually, but you can select similar options to Firefox using the Advanced optionin the Updates tab.
With both of these tasks accomplished, you should no longer be at risk from either CVE.