Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASFIREFOX-2023-003

Related Vulnerabilities: CVE-2023-34414   CVE-2023-34416  

The Mozilla Foundation Security Advisory's description of this flaw: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. (CVE-2023-34414) The Mozilla Foundation Security Advisory's description of this flaw: Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some of these could have been exploited to run arbitrary code. (CVE-2023-34416)

Source

ALASFIREFOX-2023-003

Amazon Linux 2 Security Advisory: ALASFIREFOX-2023-003
Advisory Release Date: 2023-08-21 21:01 Pacific
Advisory Updated Date: 2023-09-25 22:13 Pacific
Severity: Important
Issue Overview:

The Mozilla Foundation Security Advisory's description of this flaw: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. (CVE-2023-34414)

The Mozilla Foundation Security Advisory's description of this flaw: Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort, some of these could have been exploited to run arbitrary code. (CVE-2023-34416)


Affected Packages:

firefox


Issue Correction:
Run yum update firefox to update your system.

New Packages:
aarch64:
    firefox-102.12.0-1.amzn2.0.2.aarch64
    firefox-debuginfo-102.12.0-1.amzn2.0.2.aarch64

src:
    firefox-102.12.0-1.amzn2.0.2.src

x86_64:
    firefox-102.12.0-1.amzn2.0.2.x86_64
    firefox-debuginfo-102.12.0-1.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2023-34414, CVE-2023-34416

Mitre: CVE-2023-34414, CVE-2023-34416

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started