The Computer Emergency Response Team of India (CERT-In), India’s national cybersecurity agency, has issued an advanced warning to those browsing the web with Mozilla Firefox. CERT-In reports that multiple security flaws have been discovered in Mozilla products that could allow hackers to bypass security restrictions, conduct spoofing attacks, execute arbitrary code, obtain sensitive information, and conduct denial-of-service attacks on compromised systems.
What versions are vulnerable?
All versions of the Mozilla Firefox Internet browser prior to the latest version of Firefox 98 are affected by these vulnerabilities. In addition, versions of Mozilla Firefox ESR prior to 91.7 and versions of Mozilla Firefox Thunderbird prior to 91.7 have similar security vulnerabilities. CERT-In warns users to immediately update Firefox 98, Firefox ESR 91.7 and Thunderbird 91.7 to Mozilla Firefox.
What causes these vulnerabilities?
“These vulnerabilities exist in Mozilla products due to the use of post-release in text reflow and stop flow, validation time bugs when checking add on signatures, bugs when iframe sandbox content is checked with pop-up permission but not allow-script, memory security bugs in the engine browser, downloading temporary files to/tmp and accessing them by other local users, side-channel attacks on text, and browser window spoofing using full-screen mode,” reads the latest CERT-In notice.
How do hackers exploit these security holes?
Explaining how hackers can exploit security holes, CERT-In said: “A remote attacker can exploit these vulnerabilities by convincing the victim to visit a specially crafted link or website. Successful exploitation of these vulnerabilities could allow an attacker to remotely bypass security restrictions by conducting spoofing attacks, executing arbitrary code, obtaining sensitive information, and invoking denial-of-service attacks on the target system.” By comparison, CERT-In reported over 14.02 cybersecurity incidents last year.
The Minister of State for Electronics and Information Technology, Rajiv Chandrasekhar, made the announcement in a written response dated March 16. Although the minister did not elaborate on the origin of the attacks, precedents for such attacks have emerged in countries such as China, Pakistan, Algeria, Brazil, Canada and many other countries.
The minister also said in his response that the government is committed to ensuring that “the Internet in India is open, secure, reliable and accountable for all users”. In its written response, the MoS also confirmed a number of measures taken to improve the IT security of critical facilities in the country. The response also highlights that the ministry has implemented the Information Security Education and Awareness (ISEA) Program to build capacity in the area of information security.
As part of this initiative, the government will also train and raise awareness of information security for government officials. The project is currently being implemented in 52 academic and educational institutions across the country.
Resources such as books and videos are available on government websites to raise awareness about information security. This came on the same day that CERT-In issued a high-level warning to Mozilla Firefox and Microsoft Edge users, citing security vulnerabilities that could be exploited by targeted users.