Security News > 2022 > March > 2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!
Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.
Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.
CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.
CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
Use-after-free bugs - which could be exploited to corrupt valid data and execute arbitrary code on compromised systems - stem mainly from a "Confusion over which part of the program is responsible for freeing the memory."
In light of active exploitation of the flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.
News URL
https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html
Related news
- Mozilla really wants you to easily set Firefox as default Windows browser (source)
- Mozilla really wants you to set Firefox as default Windows browser (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Malicious Browser Extensions are the Next Frontier for Identity Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-22 | CVE-2022-26486 | Use After Free vulnerability in Mozilla products An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. | 9.6 |
2022-12-22 | CVE-2022-26485 | Use After Free vulnerability in Mozilla products Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 |