Security News > 2022 > November > Firefox fixes fullscreen fakery flaw – get the update now!
The highest severity level is High, which applies to seven different bugs, four of which are memory mismanagement flaws that could lead to a program crash, including CVE-2022-45407, which an attacker could exploit by loading a font file.
Most bugs relating to font file usage are caused by the fact that font files are complex binary data structures, and there are many different file formats that products are expected to support.
The bug can be triggered not by content but by timing: when two or more fonts are loaded at the same time by separate background threads of execution, the browser may mix up the fonts it's processing, potentially putting data chunk X from font A into the space allocated for data chunk Y from font B and thereby corrupting memory.
If the popup remains corralled inside the browser, so you can't move it to a spot of its own on the screen, then it's obviously just part of the web page you're looking at, rather than a genuine popup generated by the system itself.
Sneaky crooks, for example, could paint a fake operating system popup inside a fake browser window, so that you could indeed drag the "System" dialog anywere on the screen and convince yourself it was the real deal.
We've deliberately mapped the otherwise unused but easy-to-find PrtSc key on our Linux laptop to lock the screen instantly, reinterpreting it as a handyProtect Screen button intead of Print Screen.
News URL
https://nakedsecurity.sophos.com/2022/11/16/firefox-fixes-fullscreen-fakery-flaw-get-the-update-now/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-22 | CVE-2022-45407 | Use After Free vulnerability in Mozilla Firefox If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. | 7.5 |