Mozilla Products March 2024 Secondary Security Update Advisory

Overview

 

An update has been made available to fix vulnerabilities in the Mozilla family of products (Thunderbird, Firefox ESR, Firefox versions). users of affected products are advised to update to the latest version.

 

Affected Products

 

Firefox prior to 124 versions

Firefox ESR prior to 115.9 versions

Thunderbird prior to 115.9 versions

 

Resolved Vulnerabilities

 

Firefox ESR, High-level out-of-memory condition handling vulnerability in the ICU function in Thunderbird (CVE-2024-2616) [1], [2]

Firefox ESR, High Level System Failure Vulnerability in the NSS TLS method function in Thunderbird (CVE-2024-0743) [1], [2]

A high level WASM register value mishandling vulnerability exists in Firefox (CVE-2024-2606) [3]

A critical memory security validation error vulnerability exists in Firefox (CVE-2024-2615) [3]

A moderate-level authorization prompt input delay in the focus feature of Firefox could expire (CVE-2024-2609) [3]

High-level JIT code in Firefox, Firefox ESR, and Thunderbird may fail to save return registers in Armv7-A (CVE-2024-2607) [1], [2], [3]

High-level Windows Error Reporter vulnerability in Firefox, Firefox ESR, and Thunderbird could be used as a sandbox escape vector (CVE-2024-2605) [1], [2], [3]

High-level memory security validation error vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-2614) [1], [2], [3]

High-level integer overflow vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-2608) [1], [2], [3]

Moderate NSS vulnerability in Firefox, Firefox ESR, and Thunderbird prone to timing attacks against RSA decryption (CVE-2023-5388) [1], [2], [3]

Vulnerability in Firefox, Firefox ESR, and Thunderbird due to improper handling of moderate html and body tags resulting in CSP nonce leakage (CVE-2024-2610) [1], [2], [3]

Moderate memory free and reuse (UAF) vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-2612) [1], [2], [3]

Moderate Clickjacking Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2024-2611) [1], [2], [3]

 

Vulnerability Patches

 

The following Vulnerability Patches were made available in the March 19, 2024 update. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.

Thunderbird version 115.9

Firefox ESR 115.9 version

Firefox version 124

 

Referenced Sites

 

[1] Security Vulnerabilities fixed in Thunderbird 115.9

https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/

[2] Security Vulnerabilities fixed in Firefox ESR 115.9

https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/

[3] Security Vulnerabilities fixed in Firefox 124

https://www.mozilla.org/en-US/security/advisories/mfsa2024-12/

[4] Update Firefox to the latest release

https://support.mozilla.org/ko/kb/update-firefox-latest-release