The Mozilla Firefox Zero-day Vulnerabilities
On Friday, Mozilla released a security advisory with an urgent update of two high-impact security vulnerabilities in its Firefox web browser that it claims are being actively exploited in the wild. The updates were made available outside the company’s normal release cycle.
The CVE-2022-26485 and CVE-2022-26486 Vulnerabilities
Zero-day vulnerabilities CVE-2022-26485 and CVE-2022-26486 have been identified and are being tracked as use-after-free issues affecting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework, according to the CVE database.
Researchers Liu Jialei, Wang Gang, Du Sihang, Yang Kang, and Huang Yi of the Chinese security firm Qihoo 360 ATA have been attributed with identifying and disclosing the flaws in the software.
The issues are now being actively exploited, thus, users are advised to upgrade to the latest versions of Firefox, including version 97.0.2, Firefox ESR 91.6.1, Mozilla Firefox for Android, Focus 97.3.0, and Thunderbird (91.6.2).
Here is a brief description of the two flaws that need to be addressed:
- In case of a CVE-2022-26485 exploit, it is possible that removing an XSLT parameter during processing would result in an exploitable use-after-free vulnerability.
- The CVE-2022-26486 vulnerability is caused by an unexpected message received in the WebGPU IPC framework, which might result in a use-after-free and exploitable sandbox escape.
According to specialists, use-after-free flaws are caused mostly by confusion about which component of the program is responsible for freeing the memory. These flaws may be exploited by hackers to corrupt legitimate data and execute malicious code on compromised systems.
In a statement, Mozilla confirmed that it had received “reports of attacks in the wild” that exploited the two vulnerabilities, but, due to security reasons, it did not provide any additional technical details about how the attacks were carried out. It also did not specify the names of the criminal actors that stood behind them.