Mozilla Firefox fixes two exploited zero-day vulnerabilities

The Mozilla Firefox Zero-day Vulnerabilities

On Friday, Mozilla released a security advisory with an urgent update of two high-impact security vulnerabilities in its Firefox web browser that it claims are being actively exploited in the wild. The updates were made available outside the company’s normal release cycle.

Mozilla Firefox Zero Day Vulnerabilitie 1024x558

The CVE-2022-26485 and CVE-2022-26486 Vulnerabilities

Zero-day vulnerabilities CVE-2022-26485 and CVE-2022-26486 have been identified and are being tracked as use-after-free issues affecting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework, according to the CVE database.

Researchers Liu Jialei, Wang Gang, Du Sihang, Yang Kang, and Huang Yi of the Chinese security firm Qihoo 360 ATA have been attributed with identifying and disclosing the flaws in the software.

XSLT is an XML-based language that is used to convert XML documents into web pages or PDF documents, whereas WebGPU is a new web standard that has been hailed as a successor to the present WebGL JavaScript graphics library, which is based on the JavaScript programming language.

The issues are now being actively exploited, thus, users are advised to upgrade to the latest versions of Firefox, including version 97.0.2, Firefox ESR 91.6.1, Mozilla Firefox for Android, Focus 97.3.0, and Thunderbird (91.6.2).

Here is a brief description of the two flaws that need to be addressed:

  • In case of a CVE-2022-26485 exploit, it is possible that removing an XSLT parameter during processing would result in an exploitable use-after-free vulnerability.
  • The CVE-2022-26486 vulnerability is caused by an unexpected message received in the WebGPU IPC framework, which might result in a use-after-free and exploitable sandbox escape.

According to specialists, use-after-free flaws are caused mostly by confusion about which component of the program is responsible for freeing the memory. These flaws may be exploited by hackers to corrupt legitimate data and execute malicious code on compromised systems.

In a statement, Mozilla confirmed that it had received “reports of attacks in the wild” that exploited the two vulnerabilities, but, due to security reasons, it did not provide any additional technical details about how the attacks were carried out. It also did not specify the names of the criminal actors that stood behind them.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment