Cisco Talos recently discovered an information disclosure vulnerability in Mozilla Firefox. An attacker can exploit this bug by tricking a user into visiting a specially crafted web page through the browser. If

successful, the adversary could use leaked memory to bypass ASLR and, in combination with other vulnerabilities, obtain the ability to execute arbitrary code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Mozilla to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Mozilla Firefox URL mPath information disclosure vulnerability (TALOS-2020-1088/CVE-2020-12418)

An information disclosure vulnerability exists in the URL mPath functionality of Mozilla Firefox Firefox Nightly Version 78.0a1 x64 and Firefox Release Version 76.0.2 x64. A specially crafted URL object can cause an out-of-bounds read. An attacker can visit a webpage to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that Firefox version 76.0.2 x64 and Firefox Nightly version 78.0a1 x64 are affected by this vulnerability

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54265, 54266