Mozilla has released an out-of-band security update for Firefox, Firefox ESR, Firefox Focus, Firefox for Android, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486). Mozilla is aware of the active exploitation of these vulnerabilities. There is no specific information about the threat groups or malware utilizing these vulnerabilities.
The zero-day vulnerabilities fixed by Mozilla are:
- CVE-2022-26485: It can be triggered by removing an XSLT parameter during processing, leading to an exploitable use-after-free. In the Extensible Markup Language (XML), the <xsl:param> element is used to declare a local or global parameter. XML is a markup language much like HTML and it was designed to store and transport data. The XSLT <xsl:param> and <xsl:with-param> elements allow you to pass parameters to a template
- CVE-2022-26486: It is exploited by sending an unexpected message in the WebGPU IPC framework, leading to a use-after-free and exploitable sandbox escape. WebGPU exposes an API for performing operations such as rendering and computation on a Graphics Processing Unit.Interprocess communication (IPC) refers to the mechanisms an operating system provides to allow the processes to manage shared data. WebGPU sees physical Graphics Processing Units (GPUs) hardware as GPUAdapters. It provides a connection that manages resources, and the device’s GPUQueues, which execute commands.The idea of browser sandboxes is to shield the system from malware attacking the browser. They do this by containing any malicious code that originates from visiting a website in the sandbox part of the browser. As soon as the sandbox is closed, everything inside it is erased, including the malicious code.
So, the ability to escape the application’s security sandbox is valuable to an attacker as it can be chained with other vulnerabilities to take over the target system. Since the same researchers reported these two vulnerabilities, it seems highly likely they were used together in online attacks for exactly that purpose.
Both the zero-days are known to be use-after-free issues in different components. A use-after-free (CWE-416) issue is one where memory is referenced after it is freed. Vulnerabilities of this type can be used to corrupt memory and launch denial of service or remote code execution attacks. Depending on the privileges of the targeted user, an attacker can install programs, view, change, or delete data; or create new accounts with full user rights.
As Mozilla's security advisory explains, the Firefox developers are aware of "reports of attacks in the wild" actively exploiting these vulnerabilities.
- Mozilla Firefox: 9.0.1 – 97.0.1
- Firefox ESR: 91.0 – 91.6.0, 78.0 – 78.15.0
- Firefox for Android: 79.0.0 – 97.2.0
- Firefox Focus prior to 97.3
- Thunderbird prior to 91.6.2
Successful vulnerability exploitation may allow an attacker to compromise the vulnerable system.