The Mozilla Foundation has patched four High risk vulnerabilities in Firefox 93, as well as added a security feature that blocks unsafe downloads.
An attacker could exploit these vulnerabilities to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2021-43, Firefox 93 addressed the following four High severity vulnerabilities:
- CVE-2021-38496: Use-after-free in MessageTask
- CVE-2021-38500: Memory safety bugs
- CVE-2021-38501: Memory safety bugs
- CVE-2021-38499: Memory safety bugs.
The three memory safety bugs could allow an attacker to exploit and then run arbitrary code. To add, three other Moderate rated vulnerabilities were also patched.
Moreover, the latest release of Firefox 93 includes a number of new features and security improvements. For instance, Firefox now blocks unsafe downloads that rely on insecure connections (e.g., HTTP downloads on a secure HTTPS page or downloads in a sandboxed iframe without the allow-downloads attribute explicitly annotated).
Mozilla also disabled TLS ciphersuites that use the deprecated 3DES cryptographic algorithm.