Mozilla fixes actively exploited zero-days in Firefox

 


Mozilla fixed two critical zero-days in its popular web browser, Firefox. Mozilla is aware of active exploitation of these vulnerabilities. There is no specific information about the threat groups or malwares utilizing these vulnerabilities.


Firefox Zero-Days

As per the advisory,

  • CVE-2020-6819 is a use-after-free vulnerability when running the nsDocShell destructor due to a  race condition.

  • CVE-2020-6820 is a use-after-free vulnerability when handling a ReadableStream due to a race condition.

Both the zero-days are known to be use-after-free issues in different components. A use-after-free(CWE-416) issue is one where a memory is referenced after it is freed. Vulnerabilities of this type can be used to corrupt memory and launch denial of service or remote code execution attacks. Depending on the privileges of the targeted user, an attacker can install programs; view, change, or delete data; or create new accounts with full user rights.


Affected products

  • Firefox versions prior to 74.0.1
  • Firefox ESR versions 68.6.1

Impact

Attackers can abuse these vulnerabilities to crash the application or execute arbitrary code in the context of the browser.


Solution

Please refer to this KB article to apply the patches using SanerNow.


 

Summary
Mozilla fixes actively exploited zero-days in Firefox
Article Name
Mozilla fixes actively exploited zero-days in Firefox
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *