Jed Davis

**Name of the Vulnerable Software and Affected Versions** Thunderbird version 150 Firefox version 150 **Description** Memory safety bugs involving memory corruption may allow an attacker to execute arbitrary code. **Recommendations** Update Thunderbird to version 151. Update Firefox to version 151.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 134.0.2 Firefox ESR versions prior to 140.4.0 Thunderbird versions prior to 138.0 Thunderbird versions prior to 137.0 **Description** The software is affected by memory safety flaws that could allow for arbitrary code execution. These flaws may lead to memory corruption, potentially enabling an attacker to exploit the system by tricking a user into opening a specially crafted website. No information is available regarding the number of potentially affected devices or real-world incidents. The issue involves a failure to properly validate buffer sizes during data copying operations. **Recommendations** Update Firefox to version 134.0.2 or later. Update Firefox ESR to version 140.4.0 or later. Update Thunderbird to version 138.0 or later. Update Thunderbird to version 137.0 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox ESR versions prior to 115.6 Thunderbird versions prior to 115.6 Firefox versions prior to 121 **Description** The issue is related to a buffer boundary violation. When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. This bug only affects Firefox on Unix-based operating systems, including Android, Linux, and MacOS, while Windows is unaffected. **Recommendations** For Firefox ESR versions prior to 115.6, update to version 115.6 or later. For Thunderbird versions prior to 115.6, update to version 115.6 or later. For Firefox versions prior to 121, update to version 121 or later. As a temporary workaround, consider restricting the use of symlinks in Firefox on Unix-based operating systems until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 119 Firefox ESR versions prior to 115.4 Thunderbird versions prior to 115.4.1 **Description** The issue is related to memory safety bugs that can lead to memory corruption. It is presumed that with sufficient effort, these bugs could be exploited to run arbitrary code. The vulnerability is associated with a buffer overflow in memory, which can allow a remote attacker to execute arbitrary code. **Recommendations** For Firefox versions prior to 119, update to version 119 or later. For Firefox ESR versions prior to 115.4, update to version 115.4 or later. For Thunderbird versions prior to 115.4.1, update to version 115.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 96 **Description** A compromised content process could confuse higher privileged processes into interacting with resource handles that the unprivileged process should not have access to, by generally accepting and passing resource handles across processes. This issue only affects Firefox for Windows and MacOS, with other operating systems being unaffected. **Recommendations** For Firefox versions prior to 96, update to version 96 or later to resolve the issue. As a temporary workaround, consider restricting interactions between processes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 60.5 Firefox ESR versions prior to 60.5 Firefox versions prior to 65 **Description** The issue is related to an Inter-process Communication (IPC) vulnerability. It affects the authentication mechanism between IPC endpoints and server parents during IPC process creation. The authentication is insufficient for channels created after the IPC process is started, which could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. **Recommendations** For Thunderbird versions prior to 60.5, update to version 60.5 or later. For Firefox ESR versions prior to 60.5, update to version 60.5 or later. For Firefox versions prior to 65, update to version 65 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 64 Firefox ESR versions prior to 60.4 Thunderbird versions prior to 60.4 **Description** The issue is related to memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code. This is due to a buffer overflow in memory, allowing a remote attacker to execute arbitrary code. **Recommendations** For Firefox versions prior to 64, update to version 64 or later. For Firefox ESR versions prior to 60.4, update to version 60.4 or later. For Thunderbird versions prior to 60.4, update to version 60.4 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 63 Firefox ESR versions prior to 60.3 Thunderbird versions prior to 60.3 **Description** The issue is caused by memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code with enough effort. It is also described as a buffer overflow in memory, allowing a remote attacker to execute arbitrary code. **Recommendations** For Firefox versions prior to 63, update to version 63 or later. For Firefox ESR versions prior to 60.3, update to version 60.3 or later. For Thunderbird versions prior to 60.3, update to version 60.3 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 62 Firefox ESR versions prior to 60.2 Thunderbird versions prior to 60.2.1 **Description** The issue is caused by memory safety bugs, including evidence of memory corruption, which could potentially be exploited to run arbitrary code with enough effort. This affects various versions of Firefox, Firefox ESR, and Thunderbird. **Recommendations** For Firefox versions prior to 62, update to version 62 or later. For Firefox ESR versions prior to 60.2, update to version 60.2 or later. For Thunderbird versions prior to 60.2.1, update to version 60.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 52 Thunderbird versions prior to 52 **Description** The issue occurs on Linux when the seccomp-bpf filter is running and the Gecko Media Plugin sandbox is started, causing the sandbox to fail and leaving items with only the filter's protection, which is typically weaker than the sandbox. This issue is specific to Linux and does not affect other operating systems. **Recommendations** For Firefox versions prior to 52, update to version 52 or later to resolve the issue. For Thunderbird versions prior to 52, update to version 52 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 52 Thunderbird versions prior to 52 **Description** Memory safety bugs were reported, showing evidence of memory corruption. It is presumed that with enough effort, some of these bugs could be exploited to run arbitrary code. **Recommendations** For Firefox versions prior to 52, update to version 52 or later. For Thunderbird versions prior to 52, update to version 52 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Network Security Services (NSS) versions prior to 3.23 Mozilla Firefox versions prior to 47.0 **Description** The issue is related to errors in the code of the Network Security Services library and the Firefox browser. It may allow a remote attacker to cause a denial of service, such as memory corruption and application crash, or have other unspecified impacts. **Recommendations** For Mozilla Network Security Services (NSS) versions prior to 3.23, update to version 3.23 or later. For Mozilla Firefox versions prior to 47.0, update to version 47.0 or later.

**Name of the Vulnerable Software and Affected Versions** Android versions prior to 5.1.1 LMY49F Android versions prior to 6.0 2016-01-01 **Description** The issue is related to the `prctl vma anon name` function in the Android kernel, which lacks a procedure to check the availability of virtual memory areas for update. This can be exploited by a remote attacker using a specially crafted application to gain privileges or cause a denial of service, potentially leading to vma list corruption. **Recommendations** For Android versions prior to 5.1.1 LMY49F, update to version 5.1.1 LMY49F or later. For Android versions prior to 6.0 2016-01-01, update to version 6.0 2016-01-01 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 18.0.1025.168 Mozilla Firefox versions prior to 38.0 **Description** The Inter-process Communication (IPC) implementation does not properly validate messages, which has unspecified impact and attack vectors. **Recommendations** For Google Chrome versions prior to 18.0.1025.168, update to version 18.0.1025.168 or later. For Mozilla Firefox versions prior to 38.0, update to version 38.0 or later.