Mozilla Firefox has two new zero-day bugs under the active attack

Patch your web browser as soon as possible to avoid cyber attacks when zero-day flaws get exploited

Mozilla patches tho zero-day bigs that have been reportedly exploited in cyber attacks already

Mozilla Firefox browsers have two serious vulnerabilities that can lead to attacks on machines if not properly patched and taken care of. Users are urgently encouraged to patch the browser ASAP.^[1] The 97.0.2 version fixes these two actively exploited bugs. The developer released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to carry out the fixes for the vulnerabilities that can and are used for attacks.^[2]

These vulnerabilities are use-after-free bugs – the process when the program tries to use the memory that was previously cleared. Attackers can exploit this type of flaw and trigger the crash of the application while the commands can still be executed on the machine and do not require any permissions.

These vulnerabilities are considered critical because the threat actor can remotely attack the targeted machine and run any wanted command on the device. That includes downloading other malware, infecting the machine further. Deploying threats like ransomware can create financial losses, or keyloggers, and other silent threats can collect information valuable for the attacker in many ways because such info as credentials, logins can be sold and used in secondary attacks and scams.^[3]

Mozilla fixing critical bugs with software updates

The out-of-band software updates for the Firefox web browser contain solutions for high-impact security vulnerabilities. Both have been actively exploited in the wild. These flaws impact the Extensible Stylesheet Language Transformations parameter processing – XSLT and the WebGPU inter-process communication IPC framework.^[4]

XSLT is an XML-based language used for the conversion of XML documents into web pages or documents with PDF format. The WebGPU is the web standard that is filled as a successor to the current JavaScript graphics library. The specifics fo these two zero-day bugs:

• CVE-2022-26485. Use-after-free in XSLT parameter processing. Removing the parameter during the process can lead to exploitable vulnerability Reports of the attacks when hackers are using this flaw in operations have received researchers.
• CVE-2022-26486. Another use-after-free bug. This is in WebGPU IPC Framework. The message in the framework can lead to exploitation and sandbox escape. Reports about the attacks in the wild exploiting the flaw have also surfaced.

What is the risk, and what can be done?

Use-after-free vulnerabilities can be used to corrupt sensitive, valuable information and execute arbitrary code on the system that gets compromised.^[5] The confusion created on the machine in what part of the application is responsible for the memory clearing leads to the system crashes too.

Mozilla was informed about the attacks in the wild weaponizing the vulnerabilities and issued the needed upgrades without specifications on technicalities related to the known attacks and malicious actors exploiting these flaws. It is believed that threat actors exploited these zero-day vulnerabilities by redirecting users to malicious websites.

This is critical, so users need to update their web browsers immediately. It is possible to download the latest Mozilla Firefox versions for Linux, macOS, Windows devices. It can be done by manually looking up the latest updates via the Firefox browser Help section directly.