The Firefox Internet browser received a critical patch
from the Mozilla Foundation to fix a couple of actively exploited zero-day
vulnerabilities that were endangering both regular users and institutions.
Zero-day vulnerabilities in Internet browsers are
dangerous because criminals and hackers can use them with great success in a
wide range of criminal schemes. Regular users are rarely affected by zero-day
exploits as hackers don’t want to waste such an important resource on low-level
targets. Companies and institutions are more affected by attackers such as APTs
(Advanced persistent threat) backed by governments from around the world.
The two vulnerabilities were rated
as critical by Mozilla, and details about how they work are not yet public. They
both use-after-free exploits and were already used in the wild, which is why
the company is not yet releasing details.
In CVE-2020-6819, under certain conditions, when running
the nsDocShell destructor, a race condition can cause a use-after-free. And
with CVE-2020-6820, when handling a ReadableStream, a race condition can cause
a use-after-free as well.
According
to the Center for Internet Security (CIS), “the successful exploitation of the
most severe of these vulnerabilities could allow for arbitrary code execution.
Depending on the privileges associated with the user an attacker could then
install programs; view, change, or delete data; or create new accounts with
full user rights.”
All Firefox versions prior to 74.0.1 and Firefox ESR
versions before 68.6.1 are affected, and users are advised to upgrade their
Internet browsers are soon as possible.
Ideally, Internet browsers should not be used by users
with administrative rights, and people should not visit un-trusted websites or
follow links provided by unknown or un-trusted sources.
Security researchers Francisco Alonso and Javier Marcos first
reported the two vulnerabilities. Interestingly enough, they also say that new
details about the exploits will be published and will involve other browsers as
well. This means that, while the problems were initially reported on Firefox,
they might be valid on other Internet browsers as well.