Mozilla has announced it has fixed security vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0. Users should install the out-of-band security update as soon as possible, since it is designed to apply a fix for two vulnerabilities that are known to be exploited in the wild.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:
The vulnerability listed under CVE-2022-26485 can be triggered by removing an XSLT parameter during processing which could lead to an exploitable use-after-free.
In the Extensible Markup Language (XML) the <xsl:param> element is used to declare a local or global parameter. XML is a markup language much like HTML and XML was designed to store and transport data. The XSLT <xsl:param> and <xsl:with-param> elements allow you to pass parameters to a template.
Use-after-free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.
The vulnerability listed under CVE-2022-26486 can be exploited by sending an unexpected message in the WebGPU IPC framework which in turn could lead to a use-after-free and exploitable sandbox escape.
WebGPU exposes an API for performing operations, such as rendering and computation, on a Graphics Processing Unit. Interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. WebGPU sees physical Graphics Processing Units (GPUs) hardware as GPUAdapters. It provides a connection which manages resources, and the device’s GPUQueues, which execute commands.
The idea of browser sandboxes is to shield the system from the malware attacking the browser. They do this by containing any malicious code that originates from visiting a website, in the sandbox part of the browser. As soon as the sandbox is closed, everything inside it is erased, including the malicious code.
So, the ability to escape the application’s security sandbox is valuable to an attacker as it can be chained with other vulnerabilities to take over the target system. Since these two vulnerabilities were reported by the same researchers, it seems highly likely they were used together in online attacks for exactly that purpose.
These vulnerabilities are rated critical and that is very likely because they are being exploited in the wild. From the descriptions, we would deduce that these bugs are critical because they could allow a remote attacker to execute almost any command, including the downloading of malware to provide further access to the device. So, there are compelling reasons to apply this update as soon as possible
The affected Mozilla products need to be updated to the versions listed below.
- Firefox 97.0.2
- Firefox ESR 91.6.1
- Firefox for Android 97.3
- Focus 97.3
- Thunderbird 91.6.2
Under normal circumstances, updates will be applied without user intervention. You can check for the version number in the products’ menu under Help > About
Should you not be using the latest version for some reason, e.g. automatic updates are disabled, then this screen will inform you that a new version is available and will start downloading it.
When it’s done, all you need to do is restart the application to apply the update.
Stay safe, everyone!