Major browsers get an upgrade to fix individual bugs which allow for remote attacks, which could potentially allow hackers to take over targeted devices.
Makers of the Chrome, Firefox, and Edge browsers are urging users to patch critical vulnerabilities that should be used to enable hackers to hijack systems running the program.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser Chromium, which can be used in the Google Chrome browser and Microsoft’s most recent edition of its Edge browser.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, and rated as critical.
The vulnerability is classified as a use-after-free bug and tied to how Firefox handles browser cookies and if used allows hackers to gain access to the computer, phone, or tablet running the browser software.
Impacted is the desktop Firefox browser version 84.0.2, Firefox Android 84.1.3 variant, and also Mozilla’s corporate ESR 78.6.1 version of Firefox.
“A malicious peer could have altered a COOKIE-ECHO chunk in an SCTP packet in a manner that potentially led to a use-after-free. We assume that with sufficient effort it could have been exploited to run arbitrary code,”.
According to a Mozilla, security bulletin posted Thursday.
The acronym SCTP stands for Stream Control Transmission Protocol, used in computer media to communicate protocol information within the Transport Layer of the internet protocol suite, or TCP/IP. The insect is tied to the way cookie data is handled by SCTP.
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding response in the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialization of the SCTP connection with the browser.
According to Mozilla, an adversary could craft a malicious COOKIE-ECHO chunk to affect the browser’s memory. A use-after-free vulnerability relates to the incorrect use of dynamic memory during program operation.
If after freeing a memory location, a program doesn’t clear the pointer to this memory, an attacker may use the error to hack the program,” according to a description of this vulnerability.
Mozilla did not charge the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Also on Thursday, CISA urged Windows, macOS, and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the program.
The CISA-bug warning stated that the upgrade to the latest version of the Chrome browser could”addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s newest Edge browser relies on the Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
Tencent Security Xuanwu Lab researcher Bohan Liu is credited for discovering and reporting the bug.
Interestingly, the CVE-2020-15995 bug dates back to a Chrome for Android upgrade security compilation Google’s released on October 2020. At the time, the insect was categorized as high-severity.
While the technical specifics of the insect aren’t available, similar from bounds write in V8 bugs have allowed remote attackers to exploit heap corruption via a crafted HTML page.
Heap corruption is a sort of memory corruption that occurs in a computer program once the contents of a memory location are modified because of programmatic behavior that surpasses the intention of the original programmer or program/language constructs.
A so-called heap-smashing attack may be used to exploit examples of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, a student member of IEEE, and Michail Maniatakos, a senior member of IEEE.
By overflowing a heap block, attackers could overwrite adjacent heap headers that string different pile blocks, and eventually cause the dynamic memory allocator to modify arbitrary memory locations once a heap free operation is executed.
The malicious payload can also be generated on-the-fly: for example, by exploiting Just-In-Time (JIT) compilation, assembled code could be written on the heap,” they wrote.
Neither Microsoft nor Google explains why the October 2020 CVE-2020-15995 has been featured again in both their Thursday safety bulletins. Typically, that’s an indication that the initial fix was incomplete.
More Chromium Bugs Impact Chrome and Edge
Twelve additional bugs were reported by Google, affecting its Chromium browser engine.
Most of the bugs were rated high-severity and tied to use-after-free bugs. Three of the vulnerabilities earned bug hunters $20,000 for their efforts. Weipeng Jiang from the Codesafe Team of Legend sec at Qi’anxin Group is credited for discovering both $20,000 bugs (CVE-2021-21106 and CVE-2021-21107).
The first, a use-after-free bug tied to Chromium’s autofill function, and the second a use-after-free bug in the Chromium networking component.