Mozilla Releases Firefox 88, Fixes 13 Vulnerabilities
The Mozilla Foundation has fixed a flaw in its popular Firefox browser that allowed for the spoofing of the HTTPS secure communications icon, displayed as a padlock in the upper left of a user’s address bar. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications. The patch was part of the non-profit’s Monday update to Firefox 88 and its corporate Firefox ESR 78.10 browser and its Thunderbird 78.10 email client. In total, Firefox 88 addresses 13 browser bugs, six of which are rated high-severity.
Known as CVE-2021-23998, the secure-lock-icon bug effects both the consumer and corporate versions of Firefox browsers prior to the Monday releases. The browser padlock icon, used by all major browsers, indicates a secure communication channel between the browser and the server hosting the website. It indicates the communication is encrypted using HTTPS and utilizes an SSL/TLS certificate.
Other bugs, rated high-severity, are flaws ranging from memory corruption bugs to one that allowed a rogue website to render a malicious JavaScript outside a webpage’s visible content window.
The Mozilla security bulletin is light on the technical specifics of the bug and does not indicate if any of the 13 flaws outlined in its advisory are being exploited in the wild. The relatively mild collection of Firefox fixes stand in contrast to Google and its Chrome browser, which last week rushed patches addressing a zero-day remote code execution (RCE) vulnerability.
Further Reading