Mozilla released a security update to address a high severity privilege escalation vulnerability found in the Mozilla Maintenance Service.
The Mozilla Maintenance Service is an optional Firefox and Thunderbird service that makes application updates possible in the background.
This provides Firefox users with a seamless updates experience where they are no longer required to click ‘Yes’ in the Windows User Account Control (UAC) dialog before updating their web browser or email client.
Mozilla fixed the privilege escalation security flaw tracked as CVE-2022-22753 today, with the release of Firefox 97.
Successful exploitation on unpatched systems can let attackers escalate their privileges to NT AUTHORITY\SYSTEM account rights (the highest level of privileges on a Windows system).
“A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access,” Mozilla explained.
“This bug only affects Firefox on Windows. Other operating systems are unaffected.”
Mozilla also said that Firefox 97 addresses multiple memory safety bugs found by Mozilla developers and community in Firefox 96 and Firefox ESR 91.5.
“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla added.
Firefox 97 also adds new features, improvements
Today’s release also comes with new features such as support for the new style of scrollbars on Windows 11 and fixes, including improvements to macOS system font loading that makes opening and switching to new tabs faster.
Firefox 97 also removes support for directly generating PostScript for printing on Linux, although printing to PostScript printers is still available as a supported option.
In December, Mozilla also fixed a critical memory corruption bug affecting its cross-platform Network Security Services (NSS) cryptography libraries.
On systems running vulnerable Firefox versions, exploitation could lead to a heap-based buffer overflow, with the impact ranging from program crashes and arbitrary code execution to bypassing security software if code execution is gained.
Mozilla said at the time that all PDF viewers and email clients which use NSS versions released since October 2012 for signature verification were believed to be affected.