Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical.
Firefox Vulnerability March 2022
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
- CVE-2022-26485. Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
- CVE-2022-26486, Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it…
…but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
In the best case, a use-after-free bug typically leads to corrupted data or to a program crash, either of which can be considered a security problems in its own right.
In the worst case, a use-after-free leads to remote code execution, where the data that’s trampled on is wilfully modified by the attackers to trick the program into running untrusted code from outside.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a
[Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If you’re on Android, check for updates via the Play Store.
If you’re a Linux user where Firefox is managed by your distro, check your distro creator.
Note that if you are not yet on the latest major version (97.0 for regular Firefox, or 91.6 for the Extended Support Release), you may need to complete the update in multiple stages, so be sure to re-visit the About Firefox dialog after each update has been installed, to make sure you have finished all needed update-and-restart cycles.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Hacker tries to sell 500m WhatsApp user data on dark web - 28 November 2022
- Musk Confirms Twitter 2.0 will Bring End-to-End Encryption to Direct Messages - 28 November 2022
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022