Security News > 2020 > April > Update Firefox again – more RCEs and an Android “takeover” bug too
We'll refer to this one a Fourthytuesday instead, now that Firefox has reduced its update wavelength to four weeks to get important-but-not-zero-day-critical fixes out just that bit more frequently.
If your automatic update hasn't happened yet, a manual check will let you "Jump the queue" and get the update a bit sooner.
CVE-2020-6828: Preference overwrite via crafted Intent from malicious Android application A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory.
CVE-2020-6824: Generated passwords may be identical on the same site between separate private browsing sessions Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open.
Going to a website to change your password - after a breach notification, for example - is likely enough, but changing it twice in a row to a "Random" password without exiting Firefox inbetween isn't likely at all.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-04-24 | CVE-2020-6824 | Session Fixation vulnerability in Mozilla Firefox Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. | 1.9 |
| 2020-04-24 | CVE-2020-6828 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox ESR A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. | 6.4 |