The Mozilla Foundation has patched four High risk vulnerabilities in Firefox 109, as well as a number of other bug fixes.
An attacker could exploit these vulnerabilities to take control of impacted systems.
According to the Mozilla Foundation Security Advisory 2023-01, Firefox 109 addressed the following four High severity vulnerabilities:
- CVE-2023-23597: Logic bug in process allocation allowed to read arbitrary files.
- CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux.
- CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7.
- CVE-2023-23606: Memory safety bugs fixed in Firefox 109.
Regarding CVE-2023-23597, Mozilla stated:
“A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the
file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read.”
Moreover, Mozilla warned the memory safety bugs (CVE-2023-23605 and CVE-2023-23606) could be exploited to run arbitrary code.
The Firefox 109 update also addressed six other vulnerabilities rated Moderate or Low severity.
Finally, Mozilla also released updates for Firefox ESR 102.7.