According to the warning messages, the vulnerabilities are classified as "high severity" by the developers. The bugs could lead to out-of-bounds memory errors which typically cause crashes but may also enable malicious code execution in compromised processes.
In the case of Thunderbird, the developers point out that emails are not a direct attack vector in Thunderbird due to disabled scripting, attacks could still occur in browser-like contexts.
According to the announcement, the vulnerabilities affect Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Users of Firefox, Firefox ESR, and Thunderbird are urged to update to the latest patched versions immediately to protect against potential attacks leveraging these vulnerabilities.
Security Vulnerabilities fixed by the Mozilla Team
- CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1 High
- CVE-2023-5169: Out-of-bounds write in PathOps High
- CVE-2023-5171: Use-after-free in Ion Compiler High
- CVE-2023-5174: Double-free in-process spawning on Windows Moderate
- CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 High
The quick action by the Firefox, Firefox ESR, and Thunderbird teams to patch these serious flaws before they can be exploited is a great example of responsible disclosure and maintaining user security. For anyone using these software, be sure to allow updates to install the vital fixes.
You can check the advisory released by the Mozilla team for Firefox Vulnerabilities, Firefox ESR Vulnerabilities, and Thunderbird Vulnerabilities.