A Mozilla Foundation update to the Firefox web browser, released Tuesday, tackles one critical vulnerability and a handful of high-severity bugs. The update, released as Firefox version 84, is also billed by Mozilla as boosting the browser’s performance and adding native support for macOS hardware running on its own Apple processors.
In total, six high-severity flaws were fixed, in addition to the critical bug, tracked as CVE-2020-16042. The specific critical bug in Firefox was also highlighted earlier this month in Google’s Chrome browser security update, where it was rated as a high-severity flaw.
The Firefox and Chrome bug in question (CVE-2020-16042) is still not fully described by either browser maker, and is only listed as a memory bug.
Mystery Bug Also Impacts Google Chrome Web Browser
In the Mozilla security advisory, CVE-2020-16042 is described as a flaw in the JavaScript component called BigInt that “could have caused uninitialized memory to be exposed.”
BigInt is a JavaScript component used to represent “arbitrarily large integers” in the context of a JavaScript process within the browser, according to a Mozilla description.
Google describes the same flaw differently. It calls it an “uninitialized-use” bug impacting Chrome’s V8 JavaScript engine. It is also unclear from Google’s bulletin the exact nature of the flaw. But cybersecurity researchers have described these types of uninitialized-use bugs as “largely overlooked” and often “regarded as insignificant memory errors.”
“[These] are actually a critical attack vector that can be reliably exploited by hackers to launch privilege-escalation attacks in the Linux kernel,” according to 2017 research published by the Georgia Institute of Technology.
The CVE was also referenced last week by Microsoft, as part of its December Patch Tuesday list of bugs impacting its Edge browser version 87.0.664.57. Microsoft’s Edge browser, release in January 2020, is based on Google’s open-source software project Chromium. The Chromium source code is used in Google’s Chrome browser and Microsoft’s 2020 Edge browser.
The V8 JavaScript Engine and WebAssembly
The V8 open-source JavaScript engine was developed by the Chromium Project for Google Chrome and Chromium web browsers. The V8 JavaScript engine is not supported by Firefox, but the WebAssembly component, often associated with V8, is.
WebAssembly, or WASM for short, is an open standard that defines a portable binary-code format for executable programs, according to the WebAssembly project. “WebAssembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines,” according to the project website.
Mozilla’s Firefox browser is not Chromium based. WASM is supported in Mozilla Firefox and Apple Safari, even though both do not use Google’s V8. Some clues as to the nature of the bug can be derived by the fact the bug impacts both the Firefox and Chrome browser – the common denominator is WASM. In addition, a 2018 analysis of WASM and V8 bugs warned of possible security issues.
In 2018, Google’s Project Zero published research titled “The Problems and Promise of WebAssembly” and identified three vulnerabilities, which were mitigated. One future WASM threats, Google warned, was tied to WebAssembly’s garbage collector (GC) function.
WebAssembly the Culprit?
GC is an important process tied to JavaScript engines. “Java applications obtain objects in memory as needed. It is the task of GC in the Java virtual machine (JVM) to automatically determine what memory is no longer being used by a Java application and to recycle this memory for other uses,” describes John Worthington in a post on the importance of GC.
As for Google, it warned in 2018:
“WebAssembly GC is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly.”
At both national vulnerability database repositories, MITRE and NIST, the technical specifics of the CVE have yet to be publicly disclosed. In Google’s December Security Bulletin, it noted details tied to CVE-2020-16042 and other bugs were being withheld, “until a majority of users are updated with a fix.” It also noted that when and if bugs exist in third-party code libraries used in other devices or platforms, technical details of the bugs are limited.
Credited for finding the bug is bug hunter André Bargull, who originally reported the bug on November 23, according to Google.
Six High-Severity Firefox Bugs
Memory issues dominated the list of high-severity bugs patched by Mozilla Tuesday. Two “memory safety bugs” (CVE-2020-35114 and CVE-2020-35113) were patched. Both CVEs addressed bugs in Firefox 84 and its large-enterprise Firefox extended support release (ESR) 78.6 browser.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla wrote of both bugs.
Also tied to browser memory are bugs tracked as CVE-2020-26971, CVE-2020-26972 and CVE-2020-26973, which include a heap-buffer-overflow in WebGL, use-after-free in WebGL and a CSS sanitizer performed incorrect sanitization flaw.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.