The Firefox Internet browser received a critical patch from the Mozilla Foundation to fix a couple of actively exploited zero-day vulnerabilities that were endangering both regular users and institutions.
Zero-day vulnerabilities in Internet browsers are dangerous because criminals and hackers can use them with great success in a wide range of criminal schemes. Regular users are rarely affected by zero-day exploits as hackers don’t want to waste such an important resource on low-level targets. Companies and institutions are more affected by attackers such as APTs (Advanced persistent threat) backed by governments from around the world.
The two vulnerabilities were rated as critical by Mozilla, and details about how they work are not yet public. They both use-after-free exploits and were already used in the wild, which is why the company is not yet releasing details.
In CVE-2020-6819, under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. And with CVE-2020-6820, when handling a ReadableStream, a race condition can cause a use-after-free as well.
According to the Center for Internet Security (CIS), “the successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
All Firefox versions prior to 74.0.1 and Firefox ESR versions before 68.6.1 are affected, and users are advised to upgrade their Internet browsers are soon as possible.
Ideally, Internet browsers should not be used by users with administrative rights, and people should not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Security researchers Francisco Alonso and Javier Marcos first reported the two vulnerabilities. Interestingly enough, they also say that new details about the exploits will be published and will involve other browsers as well. This means that, while the problems were initially reported on Firefox, they might be valid on other Internet browsers as well.