Redazione RHC : 21 August 2025 18:25
Mozilla has fixed several high-severity security bugs with the release of Firefox 142, preventing attackers from remotely executing code of their choosing on affected systems. The security advisory, published on August 19, 2025, reveals nine distinct vulnerabilities ranging from sandbox escapes to memory safety bugs, with several classified as high-impact threats capable of allowing remote code execution (RCE).
This flaw allows memory corruption within the heavily sandboxed GMP process responsible for handling encrypted media, potentially allowing attackers to escalate privileges beyond the standard content process restrictions.
A wide range of vulnerabilities have been discovered, including CVE-2025-9180, a common origin policy bypass affecting the Graphics Canvas2D component.
The Mozilla Security Team, composed of researchers Andy Leiserson, Maurice Dauer, Sebastian Hengst, and the Mozilla Fuzzing Team, has identified these memory corruption bugs, which clearly demonstrate the potential for arbitrary code execution.
This security flaw compromises the fundamental web security model that prevents access to cross-origin resources, potentially allowing malicious websites to access sensitive data from other domains.
There are three security vulnerabilities that pose risks significant for the RCE. CVE-2025-9187 affects Firefox 141 and Thunderbird 141, while CVE-2025-9184 affects Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141.
The most widespread issue, CVE-2025-9185, affects several Extended Support Release (ESR) versions, including Firefox ESR 115.26, 128.13, and 140.1, as well as their Thunderbird counterparts.
Additional vulnerabilities include CVE-2025-9181, an uninitialized memory issue in the Firefox ESR component. JavaScript Engine reported by Irvan Kurniawan and several minor issues involving address bar spoofing and denial-of-service conditions in the WebRender graphics component.
Redazione