Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address two critical zero-day vulnerabilities that are actively exploited by attacks.
Both zero-day vulnerabilities are “Use-after-free” bugs, meaning a program tries to use memory that was previously cleared. When threats take advantage of this type of bug, the program can crash while simultaneously running commands on the device without permission.
These bugs are critical as they can allow a remote attacker to execute almost any command, including downloading malware to gain further access to the device.
The zero-day vulnerabilities fixed by Mozilla are:
CVE-2022-26485: Use-after-free in XSLT parameter processing – Removing an XSLT parameter during processing can lead to an exploitable use-after-free. We’ve had reports of attacks in the wild taking advantage of this flaw. CVE-2022-26486: Use-after-free in WebGPU IPC Framework – An unexpected message in the WebGPU IPC framework can lead to a use-after-free and exploitable sandbox escape. We’ve had reports of attacks in the wild taking advantage of this flaw.
As Mozilla’s security advisory explains, the Firefox developers are aware of “reports of attacks in the wild” that are actively exploiting these vulnerabilities.
While Mozilla has not shared how threat actors use these zero-day vulnerabilities in attacks, it has likely been done by redirecting Firefox users to maliciously crafted web pages.
These vulnerabilities were discovered and disclosed to Mozilla by Chinese cybersecurity firm Qihoo 360 ATA.
Due to the critical nature of these bugs, and they are actively exploited, it is strongly recommended that all Firefox users update their browsers immediately.
You can also download the latest version of Mozilla Firefox for Windows, macOS, and Linux from the following links:
Users can manually check for new updates by going to the Firefox menu > Help > About Firefox. Firefox will then automatically check for and install the latest update and prompt you to restart your browser.
This post Mozilla Firefox 97.0.2 fixes two actively exploited zero-day bugs
was original published at “https://www.bleepingcomputer.com/news/security/mozilla-firefox-9702-fixes-two-actively-exploited-zero-day-bugs/”
