Malicious code loopholes in Firefox and Thunderbird closed
Important security updates have been released for the e-mail client Thunderbird and the web browser Firefox.
(Image: Shutterstock / Artur Szczybylo)
Attackers can attack systems on which Firefox or Thunderbird is installed. The iOS version of Firefox is also affected. Security updates close malicious code gaps, among other things.
Repaired versions
The recently closed vulnerabilities are listedin the security section of the Mozilla website. It remains unclear which operating systems are specifically affected. The following versions are protected against possible attacks:
- Firefox 142
- Firefox ESR 115.27
- Firefox ESR 128.14
- Firefox ESR 140.2
- Firefox for iOS 142
- Thunderbird 128.14
- Thunderbird 140.2
- Thunderbird 142
Effects of attacks
Attackers can trigger a memory error in the context of the audio/video GMP component in an unspecified way and thus break out of the sandbox. The vulnerability (CVE-2025-9179) is classified with a threat level of"high". It affects Firefox and Thunderbird.
In addition, further memory errors (CVE-2025-9185"high") can allow malicious code to reach systems. Computers are then generally considered to be fully compromised. Under iOS, XSS attacks are conceivable (CVE-2025-55032"high").
Videos by heise
So far, there is no information about ongoing attacks. It also remains unclear how to recognize systems that have already been successfully attacked. Users should ensure that they have installed a version that is protected against the attacks described.
Mozilla last warned of phishing attacks on add-on developersat the beginning of August. Unknown attackers were attempting to obtain access data from developers via fake emails. The extent to which this campaign was successful is currently unknown.
(des)
