Attention Chromium Users,

This week, we learned of a severe vulnerability in the Chromium web browser. Officially termed CVE-2023-5472, this exploit poses considerable threats to your digital security if left unaddressed. This "use-after-free" vulnerability allows attackers to access portions of your computer's memory without authorization, which could lead to sharing personal info without your knowledge. Yeah, it's bad.

Read on for more info on a further description of this vulnerability, what it means for you, and pointers to the distributions that have already released updates.

Other updates covered in today's newsletter include a critical update to Firefox that could result in arbitrary code execution, clickjacking, spoofing, or information leaks. Memory safety bugs were also discovered and fixed in Firefox and Thunderbird, which could let an attacker launch harmful scripts without your knowledge or consent.

Our goal is to help you understand complex open-source security topics with more practical guidance and language. If you found this helpful, please tell us what you think and share it with your friends. We'd love to hear from you.

Stay safe out there,

Brittany Signature 150 Esm W150

Chromium

The Discovery 

A severe use-after-free vulnerability has been found in Chromium (CVE-2023-5472), which could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability, which Chromium has rated as “high-severity,” is related to a bug in the webRTC (Real-time Communication) functionality. 

Chromium Esm W225

The Impact

This flaw allows attackers to access portions of your computer's memory without authorization, which could lead to sharing personal info without your knowledge.

The Fix

An important Chromium update has been released to mitigate this dangerous issue. Given this vulnerability's threat to impacted systems, if left unpatched, we strongly recommend that all affected users update to the latest version of Chromium now to protect against potential downtime, system compromise, and information leakage.

Your Related Advisories:

[distro_list_1]

Firefox

The Discovery 

Firefox Esm W220

Firefox users: Have you updated to the most recent version of Firefox to protect against the critical security issues recently found in the popular web browser? The most severe vulnerabilities discovered are several memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5730) and an insufficient activation-delay, allowing certain browser prompts and dialogs to be activated or dismissed unintentionally by the user (CVE-2023-5721). Due to these bugs’ significant threat to the confidentiality, integrity, and availability of impacted systems, they have received a National Vulnerability Database severity rating of “Critical”.

The Impact

These severe flaws could potentially result in arbitrary code execution, clickjacking, spoofing, or information leaks.

The Fix

Distros continue to release advisory updates regarding a critical Firefox security update that has been released to fix the vulnerabilities recently discovered. Given these bugs’ severe threat to impacted systems, if left unpatched, we urge all affected users to apply these updates immediately to protect against attacks threatening the security, integrity, and availability of their systems and the confidentiality of their sensitive information.

Your Related Advisories:

[distro_list_2]

Thunderbird

The Discovery 

Thunderbird users: you are also impacted by the above vulnerabilities (CVE-2023-5721 and CVE-2023-5730) recently discovered in Firefox. Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5730) can be best described as a potential gateway for unwanted actions. Essentially, it lets an attacker run harmful scripts without your knowledge or consent. CVE-2023-5721 involves the improper handling of certain email content. More specifically, if an attacker sends a specially crafted email to a Thunderbird user, and the user interacts with the email, the attacker could execute harmful code. 

Thunderbird Esm W226

The Impact

Exploitation of these flaws could result in data theft, unauthorized use of your system, or worse – a complete system takeover.

The Fix

A critical Thunderbird update has been released to mitigate these impactful bugs. Given these vulnerabilities’ threat to affected systems, if left unpatched, we strongly recommend that all affected users update to the latest version of Thunderbird as soon as possible to protect against unauthorized system access and data loss.

Your Related Advisories:

[distro_list_3]