Mozilla recently rolled out an important update to the Firefox browser. With the release of Firefox 74.0.1, Mozilla has addressed two critical zero-day bugs under active exploit.
Critical Firefox Zero-day Bugs
As evident from Mozilla’s recent advisory, two critical severity bugs existed in the Firefox browser. What’s troublesome is that both the vulnerabilities caught the attention of criminal hackers before Mozilla could address them.
According to the advisory, both the vulnerabilities were use-after-free flaws affecting different components. The first of these CVE-2020-6819 would exist when running the nsDocShell destructor. Whereas, the second, CVE-2020-6820 existed during handling a ReadableStream. A race condition would cause use-after-free in both cases.
Mozilla admitted the exploitation of both vulnerabilities in the wild. As stated,
We are aware of targeted attacks in the wild abusing this flaw.
The tech giant acknowledged Francisco Alonso and Javier Marcos for reporting both the flaws.
Mozilla Patched The Flaws With Firefox 74.0.1
At present, neither Mozilla nor the researchers have shared any explicit details regarding the vulnerabilities or their exploitation.
Nonetheless, the researchers appreciate how Mozilla swiftly released the patches for both bugs amidst COVID-19 chaos.
https://twitter.com/revskills/status/1246151375198846977
Nonetheless, they also hint that the same bugs potentially affect other browsers as well.
https://twitter.com/revskills/status/1246145858107838464
For now, Mozilla Firefox 74.0.1 is out for all users. Hence, every user should ensure update their devices with the latest version to avoid the chance of exploitation.
The present update comes a few weeks after Mozilla rolled out its Firefox 74 with major security upgrades. It not only included bug fixes but also made the ‘Facebook Container’ extension publicly available.
In a related story, Twitter has also addressed a bug that allowed Firefox to store users’ private files in cache. This would also affect the private files shared via users’ DMs, causing a privacy breach for the users of public PCs.
