News

Mozilla fixes two Firefox zero-days being actively exploited

Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes

6 Apr 2020

.polaris__post-meta--date { display: none; } .polaris__post-meta--date.no-script { display: block; padding-left: 45px } 6 Apr 2020

Mozilla has moved fast to fix two Firefox browser zero-day vulnerabilities being actively exploited in the wild.

The flaws are both "use-after-free" vulnerabilities that could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable versions of the Firefox browser.

The first bug, tracked as CVE-2020-6819, is tied to the browser component “nsDocShell destructor”, while the second zero-day, CVE-2020-6820, is linked to a race condition in the ReadableStream class, which is used to read a stream of data.

As per Mozilla's security advisory, the Firefox developers "are aware of targeted attacks in the wild abusing" these two critical flaws. However, details about the actual attacks where these two bugs are being exploited are still kept under wraps.

“Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution,” according to a Center for Internet Security bulletin.

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely also affect other web browsers.

Fixes are available in Firefox 74.0.1 and are also available for Firefox 68 users with version 68.6.

Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, which it also warned was being used in targeted attacks. This critical flaw, branded CVE-2019-17026, allowed an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1674557886/itpro/Whitepaper%20covers/3d_skills_report_thumb.png { display: none !important; }

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1674645007/itpro/Whitepaper%20covers/Environmental_Intelligence_thumb.jpg { display: none !important; }

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1666165904/itpro/Whitepaper%20covers/2022_state_of_multi_cloud_thumb.jpg { display: none !important; }

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1674741721/itpro/Whitepaper%20covers/tackling_our_worlds_problems_with_ML_thumb.png { display: none !important; }

Free Download