There are important security updates for the web browsers Firefox ESR and Tor Browser and for the mail client Thunderbird. Versions protected against this are available for download.
Attackers may be able to execute code via the vulnerabilities, all of which are rated at risk level High. Mozilla provides updates for its programs that fix the problems. The creators of the Tor Browser have also reacted accordingly.
DoS and malicious code attacks
One of the vulnerabilities in Thunderbird concerns the handling of NSSToken objects. These could be called in an unsafe manner, which could lead to a use-after-free and potentially exploitable crash. Another vulnerability is caused by an unexpectedly high number of WebAuthN extensions. A crash can also be provoked here. This problem can also be exploited to run code. The two vulnerabilities mentioned also affect Firefox ESR. Firefox ESR 91.8 fixes the problem and so does Thunderbird 91.8. Tor Browser 11.0.10 updates Firefox to 91.8.0esr on Windows, macOS and Linux, the creators of Tor Browser say.
The anonymizer Tor Browser is based on Firefox ESR and also gets the security updates. In addition to the security fixes, the developers have given the Tor Browser a package update, NoScript 11.4.3, that also implemented and fixed a few bugs. Tor browser current release is 11.0.10.