Mozilla developers released an updated version of Firefox 74.0.1, where they fixed two fresh 0-day vulnerabilities that hackers had already exploited. All users are encouraged to upgrade as soon as possible.
The new version of Firefox includes fixes for critical vulnerabilities CVE-2020-6819 and CVE-2020-6820. Both problems relate to the use-after-free class and are related to the way Firefox uses its own memory space.In essence, vulnerabilities allow hackers to place code in Firefox’s memory and execute it in a browser context. The release notes have been published already; they list security fixes only and no other changes. Mozilla’s Security Advisories site provides additional information on the two vulnerabilities that the organization fixed in the new Firefox release:
- CVE-2020-6819: Use-after-free while running the nsDocShell destructor — Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
- CVE-2020-6820: Use-after-free when handling a ReadableStream — Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
Typically, such bugs are used to execute code on victims’ devices, although the impact and scope of vulnerabilities may vary. In this case, errors affect the versions of Firefox that run on Windows, macOS, and Linux.
Depending on the privileges of the user, an attacker can install programs; View, modify or delete data; Create new accounts with full user rights. Users, whose accounts are configured for fewer rights, may be less affected than those who work with administrator rights”, — says the official security bulletin.
So far, developers have not reported details about how 0-day data was used in the attacks. Mozilla was thanked security professionals Francisco Alonso and Javier Marcos of JMP Security for identifying and resolving issues.
It is interesting that Alonso writes on his Twitter that the detected vulnerabilities can also affect other browsers.
Update to Firefox 74.0.1 and ESR 68.6.1. We (@javutin) reported two 0-days exploited in the wild. Thanks to @mozilla for quick fixes and hard work. There is still lots of work to do and more details to be published (including other browsers). Stay tuned”, – Francisco Alonso tweeted.
However, what these “other browsers” are not yet known. Chrome has its own problems, and Microsoft Edge is almost ahead of Mozilla Firefox in popularity.
