CERT-In warns about bugs in Mozilla Firefox

Mumbai Two serious vulnerabilities in Mozilla products have come to light which can grant hackers access to your device’s camera and microphone if exploited successfully. Both vulnerabilities have been officially acknowledged by Mozilla as well as the Indian Computer Emergency Response Team (CERT-In), the country’s apex agency for cybersecurity.

On Monday, CERT-In issued a warning for seven vulnerabilities, including these two, that exist in various Mozilla FireFox, Mozilla ESR and Mozilla Thunderbird. While Firefox is a regular browser, Firefox Extended Support Release (ESR) is developed for large organisations like universities and businesses and Thunderbird is an application that helps individuals and organisations manage their email.

“Multiple vulnerabilities have been reported in Mozilla products which could allow a remote attacker to bypass security restrictions, execute arbitrary code and cause denial of service attack on the targeted system,” CERT-In’s advisory states. CERT-In has classified all the seven vulnerabilities as ‘high’ in severity.

Execution of arbitrary code means that a hacker, once inside the system, can run any command that they want to, effectively granting them control over the entire system. Denial of service is a common form of cyberattack where attackers cause losses to organisations by disrupting the service that is provided to the consumers.

The most serious one exists in Mozilla ESR and can grant access to all the permissions that have been granted to the browser, including camera and microphone. The second one affects the Android version of Firefox and can enable recording of audio on the target computer without the user getting a notification about it.

All the seven vulnerabilities have been officially acknowledged by Mozilla in an update on their website. Mozilla, too, has rated them as ‘High’ in severity. According to Mozilla’s own criteria, a ‘High’ severity means that Vulnerability can be used to gather sensitive data from sites in other windows, or inject data or code into those sites, requiring no more than normal browsing actions.

All of them have been assigned individual Common Vulnerabilities and Exploits (CVE) numbers, which are a formal acknowledgement in the cybersecurity law enforcement community. The CERT-In is one of the agencies in the world that is recognised as a CVE assigning authority.

Mozilla has released patches for all the seven vulnerabilities and CERT-In has urged users to immediately download the latest updates to install these patches. Prompt updating is especially important in light of a latest research report, which showed that hackers start looking for and exploiting devices with unpatched vulnerabilities as soon as the vulnerabilities are officially announced in the public domain. Hindustan Times