Mozilla has moved fast to fix two Firefox browser zero-day vulnerabilities being actively exploited in the wild.
The flaws are both "use-after-free" vulnerabilities that could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable versions of the Firefox browser.
The first bug, tracked as CVE-2020-6819, is tied to the browser component “nsDocShell destructor”, while the second zero-day, CVE-2020-6820, is linked to a race condition in the ReadableStream class, which is used to read a stream of data.
As per Mozilla's security advisory, the Firefox developers "are aware of targeted attacks in the wild abusing" these two critical flaws. However, details about the actual attacks where these two bugs are being exploited are still kept under wraps.
“Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution,” according to a Center for Internet Security bulletin.
“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely also affect other web browsers.
Fixes are available in Firefox 74.0.1 and are also available for Firefox 68 users with version 68.6.
Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, which it also warned was being used in targeted attacks. This critical flaw, branded CVE-2019-17026, allowed an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’.
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Zero Trust myths: Fact or fiction?Whitepaper What the myths get right and wrong about Zero Trust
-
ZTNA vs on-premises VPNWhitepaper How ZTNA wins the network security game
-
A roadmap to Zero Trust with Cloudflare and CrowdStrikeWhitepaper Achieve end-to-end protection across endpoints, networks, and applications
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and FirefoxNews Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
-
State-sponsored hackers delay new Microsoft Exchange Server by four yearsNews Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule
-
Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products growsNews Microsoft has published a support guide and temporary workarounds for IT admins to mitigate the threat
-
Google patches second Chrome browser zero-day of 2022News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday updateNews Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world
