Mozilla fixes two Firefox zero-days being actively exploited

News
By published

Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes

Firefox icon

Mozilla has moved fast to fix two Firefox browser zero-day vulnerabilities being actively exploited in the wild.

The flaws are both "use-after-free" vulnerabilities that could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable versions of the Firefox browser.

The first bug, tracked as CVE-2020-6819, is tied to the browser component “nsDocShell destructor”, while the second zero-day, CVE-2020-6820, is linked to a race condition in the ReadableStream class, which is used to read a stream of data.

As per Mozilla's security advisory, the Firefox developers "are aware of targeted attacks in the wild abusing" these two critical flaws. However, details about the actual attacks where these two bugs are being exploited are still kept under wraps.

“Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution,” according to a Center for Internet Security bulletin.

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Microsoft's Edge now more popular than Firefox for the first time Mozilla fixes Firefox zero-day being actively exploited Best web browsers 2023: Google Chrome vs Microsoft Edge vs Firefox Tenable declares there are far worse security threats to fear than zero-day exploits

The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely also affect other web browsers.

Fixes are available in Firefox 74.0.1 and are also available for Firefox 68 users with version 68.6.

Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, which it also warned was being used in targeted attacks. This critical flaw, branded CVE-2019-17026, allowed an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’.

Carly Page
Carly Page

Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services. 

Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.

You can check out Carly's ramblings (and her dog) on Twitter, or email her at hello@carlypagewrites.co.uk.

Open source vulnerabilities concept image showing HTML code on a computer screen.

Open source risks threaten all business users – it’s clear we must get a better understanding of open source software
ChatGPT logo and branding pictured in white coloring against a black backdrop.

DeepSeek and Anthropic have a long way to go to catch ChatGPT: OpenAI's flagship chatbot is still far and away the most popular AI tool in offices globally
A telephoto shot of Evan Goldberg, founder and EVP at Oracle NetSuite, pictured from the waist up speaking onstage at the opening keynote of SuiteConnect London 2025.

‘Every feature that comes into NetSuite over the coming years is going to have AI’: NetSuite’s Evan Goldberg on the future of the platform and how AI will drive customer success
See more latest
Most Popular
ChatGPT logo and branding pictured in white coloring against a black backdrop.
DeepSeek and Anthropic have a long way to go to catch ChatGPT: OpenAI's flagship chatbot is still far and away the most popular AI tool in offices globally
A telephoto shot of Evan Goldberg, founder and EVP at Oracle NetSuite, pictured from the waist up speaking onstage at the opening keynote of SuiteConnect London 2025.
‘Every feature that comes into NetSuite over the coming years is going to have AI’: NetSuite’s Evan Goldberg on the future of the platform and how AI will drive customer success
Cybersecurity concept image symbolizing third-party data breaches with give padlock symbols and one pictured in red, signifying a security breach.
These five countries recorded the most third-party data breaches last year
Phishing concept image showing an email symbol with fishing hook.
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Flexible work concept image showing woman working in office environment side by side with woman working from home.
IT professionals aren’t budging on flexible work demands – and more than half say they’ll quit if employers don’t meet expectations
Cybersecurity team members discussing strategy in an open plan office space, with male and female practitioners standing and others sitting at desks.
UK tech firms have a chance to trial a four-day week this year – here's how other pilot schemes fared
Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
LevelBlue launches new partner program that’s “built for the future”
23andMe logo and branding pictured on a sign outside the company headquarters in Sunnyvale, California.
Millions of 23andMe users’ genetic data could be up for grabs – and experts worry it’s a looming privacy nightmare
Microsoft Copilot logo and branding pictured on a smartphone screen.
Microsoft launches new security AI agents to help overworked cyber professionals
Malware Detected Warning Screen with abstract binary code 3d digital concept
Fake file converter tools are on the rise – here’s what you need to know