Security News > 2020 > April > Firefox zero day in the wild: patch now (Tor Browser too!)
Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.
Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but don't want to lag behind on security patches.
The bug details in Mozilla's bug database aren't open for public viewing yet , presumably because the Mozilla coders who fixed the flaw have, of necessity, described and discussed it in sufficient detail to make additional exploits very much easier to create.
A use-after-free is a class of bug caused by incautious use of memory blocks by a program.
In some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser's usual security checks or "Are you sure" dialogs.
News URL
https://nakedsecurity.sophos.com/2020/04/05/firefox-zero-day-in-the-wild-patch-now/
Related news
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Mozilla really wants you to easily set Firefox as default Windows browser (source)
- Mozilla really wants you to set Firefox as default Windows browser (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)