Security Update: Mozilla Fixes Actively Exploited Zero-Days in Firefox

Mozilla fixed two critical zero-days in its popular web browser, Firefox. Using a vulnerability management tool. Mozilla is aware of active exploitation of these vulnerabilities. There is no specific information about the threat groups or malwares utilizing these vulnerabilities. These are the Firefox vulnerabilities.

Firefox vulnerabilities Zero-Days

As per the advisory,

• CVE-2020-6819 is a use-after-free vulnerability when running the nsDocShell destructor due to a  race condition.
• CVE-2020-6820 is a use-after-free vulnerability when handling a ReadableStream due to a race condition.

Both the zero-days are use-after-free issues in different components. A use-after-free(CWE-416) issue is one where a memory is referenced after it is freed. However, vulnerabilities of this type can be used to corrupt memory and launch denial of service or remote code execution attacks. Depending on the privileges of the targeted user, an attacker can install programs; view, change, or delete data; or create new accounts with full user rights. A patch management tool can patch such vulnerabilities.

Affected products in Firefox vulnerabilities

• Firefox versions prior to 74.0.1
• Firefox ESR versions 68.6.1

Impact

Attackers can either abuse these vulnerabilities to crash the application or execute arbitrary code in the context of the browser.

Solution

Please refer to this KB article to apply the patches using SanerNow.