• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
mozilla fixes firefox flaw that allowed spoofing of https browser

Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape

You are here: Home / Latest Cyber Security Vulnerabilities / Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape
March 7, 2022

Both vulnerabilities are use-just after-cost-free issues in Mozilla’s well-known web browser.

Mozilla has launched an unexpected emergency update for its Firefox browser that addresses two critical security vulnerabilities that cybercriminals have actively exploited in the wild as zero days.

The two are use-right after-cost-free bugs, which are memory-corruption issues that arise when an software continues to attempt to use a chunk of memory that was assigned to it, just after reported chunk was freed up for use by a different application. This variety of dilemma can direct to remote code execution (RCE), knowledge corruption and system crashes.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The 1st bug resolved by Mozilla, CVE-2022-26485, is a use-following-free of charge issue in the browser’s XSLT parameter processing. XSLT parameters are utilised for producing stylesheets that are applied to determine the seem and truly feel of a web site.

“Removing an XSLT parameter throughout processing could have led to an exploitable use-after-no cost,” according to Mozilla’s advisory more than the weekend.

The next bug, CVE-2022-26486, is a use-immediately after-free issue in the WebGPU IPC Framework. WebGPU is a web API that supports multimedia on webpages by employing a machine’s Graphics Processing Unit (GPU). It is utilised to assist gaming, movie conferencing and 3D modeling, between other matters.

“An unexpected concept in the WebGPU IPC framework could lead to a use-right after-absolutely free and exploitable sandbox escape,” according to Mozilla.

The enterprise didn’t offer substantially in the way of complex details, presumably to make exploitation all the far more complicated for poor actors. Nevertheless, Paul Ducklin, senior technologist with Sophos, presented some notes.

The 1st bug, he mentioned, is currently being exploited in the wild for RCE, “implying that attackers with no present privileges or accounts on your laptop or computer could trick you into jogging malware code of their option basically by luring you to an harmless-seeking but booby-trapped website.”

The next is being used for sandbox escape, as noted by Mozilla.

“This form of security hole can typically be abused on its personal (for instance, to give an attacker obtain to files that are supposed to be off limits), or in blend with an RCE bug to enable implanted malware to escape from the security confines imposed by your browser, so building an currently poor condition even worse,” Ducklin noted in a Saturday overview.

Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang of 360 ATA noted the issues.

Both of those bugs are set in the adhering to versions, and users need to update instantly:

  • Firefox 97..2
  • Firefox ESR 91.6.1
  • Firefox for Android 97.3
  • Aim 97.3
  • Thunderbird 91.6.2

Sign up Currently for Log4j Exploit: Lessons Acquired and Risk Reduction Best Methods – a Live Threatpost party sked for Thurs., March 10 at 2PM ET. Sign up for Sonatype code skilled Justin Youthful as he assists you sharpen code-hunting expertise to minimize attacker dwell time. Understand why Log4j is however harmful and how SBOMs healthy into software source-chain security. Sign-up Now for this one-time Totally free celebration, Sponsored by Sonatype.

 


Some components of this short article are sourced from:
threatpost.com

Previous Post: «understanding how hackers recon Understanding How Hackers Recon
Next Post: Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking critical bugs in terramaster tos could open nas devices to»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • CTEM is the New SOC: Shifting from Monitoring Alerts to Measuring Risk
  • Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar
  • Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • Non-Human Identities: How to Address the Expanding Security Risk
  • ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Copyright © TheCyberSecurity.News, All Rights Reserved.