Mozilla rolled out updates for Firefox, Focus, Firefox ESR and Firefox for Android to fix two high-severity zero-day vulnerabilities known to be actively exploited in real-life attacks.
Both flaws are Use-After-Free vulnerabilities, a type of bug that occurs when a program attempts to use previously cleared memory. Perpetrators have been known to leverage this vulnerability type to crash programs and execute commands on compromised systems without authorization.
The zero-day flaws fixed by Mozilla’s update rollout are:
- CVE-2022-26485: XSLT parameter processing flaw- removing an XSLT parameter during processing could lead to an exploitable use-after-free situation
- CVE-2022-26486: WebGPU IPC Framework flaw –unexpected message in the framework could trigger a use-after-free and exploitable sandbox escape
Firefox developers have discovered “reports of attacks in the wild,” according to Mozilla’s security advisory. The high severity of the flaws stems from their potential to help threat actors execute a plethora of malicious commands, including downloading malware to the compromised systems, elevating permissions and acquiring persistency.
Mozilla rolled out the following updates for Firefox browsers:
- Firefox 97.0.2
- Firefox ESR 91.6.1
- Firefox for Android 97.3.0
- Focus 97.3.0
Considering the threat level of these zero-day vulnerabilities, Mozilla recommends Firefox users prioritize updating their browsers to the latest version.
Although automatic Firefox updating is enabled by default, users can disable it. If you need to bring your Firefox browser up to date, you can download the latest version from the official website (Windows, Linux, macOS users), use the App Store or Play Store (Android, iOS), or check for updates manually.
You can manually update your browser by opening the Firefox menu and accessing the About Firefox option in the Help menu. This will perform a version check, install the latest update if necessary, and ask you to restart the browser.