Firefox Users Asked to Upgrade after Two Zero-Day Vulnerabilities are Discovered
Mozilla has pushed out software updates for Firefox to contain two high-impact security vulnerabilities. Both of these vulnerabilities are actively exploited in the wild.
The two vulnerabilities - CVE-2022-26485 and CVE-2022-26486 – are zero-day flaws that have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.
XSLT is an XML-based language that is used to convert XML documents into web pages or PDF’s. WebGPU is an emerging web standard that is considered the successor to the current WebGL JavaScript graphics library.
The description of the flaws are below:
CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free
CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape
Use-after-free bugs can be exploited to corrupt valid data and execute arbitrary code on compromised systems. These bugs stem mainly from a “confusion over which part of the program is responsible for freeing the memory.”
Mozilla acknowledged that “we have had reports of attacks in the wild” of the two vulnerabilities being weaponized, but did not share any more details.
Security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang of Qihoo 360 ATA have been credited with discovering the vulnerabilities.
In response to these exploitations, Mozilla recommends that users upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.
Story via The Hacker News