2 New Mozilla Firefox 0-Day Bugs Under Active Attack – Fix Your Browser ASAP!

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, which it says are being actively exploited in the wild.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-release issues affecting Extensible Stylesheet Language Transformations (XSLT) parameter processing and WebGPU inter-process communication ( CPI) Framework.

Automatic GitHub backups

XSLT is an XML-based language used for converting XML documents into web pages or PDF documents, while WebGPU is an emerging web standard that was introduced as the successor to the current WebGL JavaScript graphics library.

The description of both faults is below –

  • CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-release
  • CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape

Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems – stem primarily from “confusion over which part of the program is responsible for freeing memory”.

Prevent data breaches

Mozilla acknowledged that “we have had reports of in-the-wild attacks” weaponizing both vulnerabilities but did not share any technical specifics related to the intrusions or the identity of the malicious actors exploiting them.

Security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang of Qihoo 360 ATA were credited with discovering and reporting the flaws.

In light of active exploits, users are recommended to upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6 as soon as possible. 2.

Comments are closed.