Ensure you are using the latest version of Firefox: Firefox versions 74.0.1 or later.
For more details, see below
Security flaws in Mozilla Firefox could lead to a breach. Learn more from Dox now.
In an effort to keep you apprised of the latest threats to your business security without inundating your inbox, Dox TotalCare is now combining all alerts and advisories into one email to save you time and simplify the alert and advisory process. In today's alerts and advisories, you will find:
- An Advisory Regarding Multiple Vulnerabilities in Mozilla Firefox
Please feel free to contact Dox at (585) 473-7766 at any time with questions.
|
|
Cybersecurity Advisory: Multiple Vulnerabilities Discovered in Mozilla Firefox
A cybersecurity advisory was issued Apr. 3, 2020 regarding multiple vulnerabilities in Mozilla Firefox and Firefox Extended Support Release (ESR). The vulnerabilities could allow an attacker to execute arbitrary code, which could potentially lead to a breach.
What It Is: Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Read the original Mozilla Foundation Security Advisory.
Threat Intelligence: Mozilla reports that these two vulnerabilities are being exploited in the wild. Systems Affected:
- Firefox versions prior to 74.0.1
- Firefox ESR versions prior to 68.6.1
Risk: Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low What It Means: If you and/or your business utilize the Mozilla Firefox versions mentioned above, you will need to apply the appropriate updates provided by Mozilla to vulnerable systems immediately following proper testing. Technical Summary: Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. (CVE-2020-6819)
- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. (CVE-2020-6820)
What To Do:
We recommend the following actions be taken:
- Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
- Apply the Principle of Least Privilege to all systems and services.
|
|
Negative Consequences of Lost or Stolen Data: The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- Temporary or permanent loss of sensitive or proprietary information.
- Disruption to regular operations.
- Financial losses incurred to restore systems and files.
- Potential harm to an organization's reputation.
Should your agency or business need assistance with issues arising from vulnerabilities in Mozilla Firefox, including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization. Thank you for your time and stay safe online. Sincerely, Ken Michael, VP of Dox CISSP, CRISC, CISA, Certified Security Analyst Direct: (585) 295-1932 Cell: (585) 329-7766 kenm@doxnet.com
|
|
|
Meet the Dox Box
The Dox Box is our newly updated automated network scanning and reporting tool. With the Dox Box, Dox is able to regularly scan your networks for security threats. We then provide a monthly, automated report explaining where your high, medium and low-level vulnerabilities lie so you can quickly and efficiently address them to further secure every network you manage.
Consistent Vulnerability Scanning
The Dox Box network appliance is custom-built by Dox as a set-it-and-forget-it device with just a power cable and Ethernet connection to the target network. Dox remotely controls and maintains the device so you never have to worry about network scanning. The Dox Box can handle up to a total of 250 active IPs and up to five subnets. With the Dox Box, you get:
- Better Security for Your Business- The Dox Box regularly scans your network(s) to alert you to security threats fast.
- Reporting You Can Count On- Receive a monthly report listing vulnerabilities detected on your target network(s), both internal and external, rating each by the severity of the threat.
- Secure Service to Identify Threats- Reports are hosted on a secure Dox server so you don't have to worry about the security of your scanning and reports.
- Regulatory-Compliant Scanning- Satisfy the requirements of government regulations across industries with both internal and external scans.
- Peace of Mind- Set it and forget it. The device does all the work so you can focus on yours.
|
|
|
|
|