Two weeks ago, I wrote about how difficult it is to keep browsers updated in an organization, after discovering that the top five known-to-be-exploited vulnerabilities that were still unpatched were either Chrome or Safari flaws.

One possible reason for so many of the vulnerabilities being browser-based is that some companies allow employees to choose their browser, and also trust them to keep the browser updated.

Another is that even in environments where browser updates are centrally managed with a patching process, security is only ever one consideration for organizations to weigh up. Another is disruption, and everyone has a browser, and browsers are heavily used. Forcing a browser update, which usually triggers a restart, might inconvenience a lot of (vocal) users.

This week, I decided to look at the Firefox browser to see if companies that used it had an easier time patching. Spoiler alert: No, they don’t. Apparently, it’s the type of application that makes this hard, not the vendor. But, as we’ll see, in this case it might introduce a new problem into the mix.

I found seven Firefox vulnerabilities with a high or critical severity that remained unpatched over the last two months, in numbers that no non-browser application matches. I looked at the last two months because the most recent update that was marked critical by Mozilla was published on March 22, 2024.

That update fixed CVE-2024-2608, a possible integer overflow, collections of memory safety bugs under CVE-2024-2614 and CVE-2024-2615, and two critical vulnerabilities found during the Pwn2Own Vancouver 2024 hacking competition, CVE-2024-29943 and CVE-2024-29944. Together, the last two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. (The sandbox is employed to protect against malicious content entering the system through the browser.)

The problem is compounded by the fact that some of the unpatched Firefox vulnerabilities affect more than just Mozilla’s browser—some of the listed vulnerabilities also apply to Mozilla’s Thunderbird email client. So, the choice to postpone a browser update because it might inconvenience some users might keep a vulnerability in an unexpected application alive as well. A problem that is not uncommon when vulnerabilities are found in libraries that are widely used in various applications.

Having the email client as an extra attack vector makes a vulnerability all the more attractive for cybercriminals.

If you’re struggling to stay on top of this kind of patching, you can create a schedule to install third-party software updates regularly in ThreatDown’s Nebula. And, if you like, you can single out Thunderbird and leave the browser updates to the individual users.

Happy patching!

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.