Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn't affect mobile versions of Firefox.
Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.
Version number should read 124.0.1 or higher
Other users can update their browser by following these instructions:
To change the way in which Firefox installs updates, you can:
The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:
CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.
An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.
CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.
Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.
An event handler is a program function that is executed by the application or operating system when an event is executed on the application.
Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.
Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.
We donβt just report on vulnerabilitiesβwe identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.