Security News > 2020 > April > Firefox zero day in the wild: patch now (Tor Browser too!)

Firefox zero day in the wild: patch now (Tor Browser too!)
2020-04-05 19:21

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.

Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but don't want to lag behind on security patches.

The bug details in Mozilla's bug database aren't open for public viewing yet , presumably because the Mozilla coders who fixed the flaw have, of necessity, described and discussed it in sufficient detail to make additional exploits very much easier to create.

A use-after-free is a class of bug caused by incautious use of memory blocks by a program.

In some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser's usual security checks or "Are you sure" dialogs.


News URL

https://nakedsecurity.sophos.com/2020/04/05/firefox-zero-day-in-the-wild-patch-now/