CVE-2021-29964 – This vulnerability allows a malicious program a... (How to Fix)

Q: How do I fix CVE-2021-29964?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart browser when prompted.

Q: What is the severity of CVE-2021-29964?

CVE-2021-29964 has a CVSS score of 7.1 (HIGH). This vulnerability allows a malicious program already running on a Windows system to send specially crafted WM_COPYDATA messages to Firefox, causing an out-of-bounds memory read. This could potentially leak sensitive information from Firefox's memory. Only affects Firefox, Thunderbird, and Firefox ESR on Windows operating systems.

📋 TL;DR

This vulnerability allows a malicious program already running on a Windows system to send specially crafted WM_COPYDATA messages to Firefox, causing an out-of-bounds memory read. This could potentially leak sensitive information from Firefox's memory. Only affects Firefox, Thunderbird, and Firefox ESR on Windows operating systems.

💻 Affected Systems

Products:

Firefox
Thunderbird
Firefox ESR

Versions: Thunderbird < 78.11, Firefox < 89, Firefox ESR < 78.11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows operating systems. Linux, macOS, and other OS are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive data from Firefox's memory space, potentially including session cookies, passwords, or other private user data.

🟠

Likely Case

Limited information disclosure of non-sensitive memory contents due to the constrained nature of out-of-bounds reads.

🟢

If Mitigated

No impact if systems are patched or if proper endpoint security prevents malicious local programs from executing.

🌐 Internet-Facing: LOW - Requires local program execution, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious insider or compromised workstation could exploit this to gather information from other users' browser sessions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local program execution on target Windows system. Exploit would need to bypass standard Windows security controls to run malicious code locally.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 78.11+, Firefox 89+, Firefox ESR 78.11+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-23/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable automatic updates check

windows

Temporarily disable automatic updates to prevent potential exploitation during update process

Not applicable - configure via browser settings

🧯 If You Can't Patch

Restrict local program execution through application whitelisting or endpoint security
Use alternative browsers on Windows systems until patches can be applied

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox/Thunderbird → Help → About. If version is below patched versions, system is vulnerable.

Check Version:

Not applicable - check via browser GUI or registry: HKEY_CURRENT_USER\Software\Mozilla\Firefox for version info

Verify Fix Applied:

Confirm browser version is Thunderbird ≥78.11, Firefox ≥89, or Firefox ESR ≥78.11 after update.

📡 Detection & Monitoring

Log Indicators:

Unusual WM_COPYDATA message processing in Windows event logs
Browser crash reports related to memory access violations

Network Indicators:

None - this is a local exploitation vulnerability

SIEM Query:

Windows Event ID 1000 (Application Error) with Firefox/Thunderbird process names and exception code 0xC0000005 (ACCESS_VIOLATION)

📊 Metadata

CVE ID: CVE-2021-29964

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: June 24, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1706501 Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-23/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-24/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-26/ Release Notes,Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1706501 Permissions Required,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-23/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-24/ Release Notes,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-26/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29964, you might also want to check these: