Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address two critical zero-day vulnerabilities actively exploited in attacks.
Both zero-day vulnerabilities are “use-after-free” bugs, that is, when a program attempts to use memory that has been previously cleared. When hackers exploit this type of bug, it can cause the program to crash while allowing commands to be executed on the device without permission.
These bugs are critical because they could allow a remote attacker to execute almost any command, including downloading malware to provide additional access to the device.
The zero-day vulnerabilities fixed by Mozilla are:
- CVE-2022-26485: Use-after-free in XSLT parameter processing – Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework – An unexpected message in the WebGPU IPC framework could lead to an exploitable use-after-free sandbox escape. We have had reports of attacks in the wild abusing this flaw.
As Mozilla’s security advisory explains, Firefox developers are aware of “reports of attacks in the wild” actively exploiting these vulnerabilities.
Although Mozilla has not shared how threat actors use these zero-day vulnerabilities in attacks, it was likely done by redirecting Firefox users to maliciously crafted web pages.
These vulnerabilities were discovered and disclosed to Mozilla by Chinese cybersecurity company Qihoo 360 ATA.
Due to the critical nature of these bugs and their active exploitation, it is strongly recommended that all Firefox users update their browsers immediately.
You can also download the latest version of Mozilla Firefox for Windows, macOS and Linux from the following links:
Users can manually check for new updates by accessing the Firefox Menu > To help > About Firefox. Firefox will then automatically check for and install the latest update and prompt you to restart your browser.