ALERT: Update Firefox to Address Multiple Vulnerabilities

Monday, March 7, 2022

This message is intended for U-M IT staff who are responsible for university systems running Mozilla Firefox as well as users of personal systems with Firefox installed.

Summary

Multiple vulnerabilities in Mozilla Firefox and could allow for remote code execution. Mozilla Firefox should be updated as soon as possible to version 97.0.2 or later for Firefox, and version 91.6.1 or later for Firefox Extended Support Release (ESR). The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Problem

Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox ESR, the most severe of which could allow for remote code execution. Both issues create a possible use-after-free vulnerability allowing remote code execution at the logged-in user's level of access.

Threats

Exploitation of these vulnerabilities could lead to remote code execution. It is being exploited in the wild.

Affected Versions

  • Mozilla Firefox versions prior to 97.0.2
  • Firefox ESR versions prior to 91.6.1

Action Items

Update Firefox to version 97.0.2 or later and update Firefox ESR to version 91.6.1 or later. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21)

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

Users should update Firefox as soon as possible. The best protection for all devices is to keep your operating system, software, and apps up-to-date, and to work using an account with the least necessary privileges for the task you need to do.

  • University-managed machines. MiWorkspace staff will release updates for MiWorkspace machines by 3-8-2022. Staff who manage other university machines are expected to apply the update as appropriate for their environments.
  • Personal machines. Firefox is set to update automatically by default. If you have changed that setting or need to update manually follow the direction at: Update Firefox to the latest release.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.