Mozilla released Firefox v97.0.2 today. The out-of-band update doesn’t contain any features, but patches two bugs that are listed as “Critical”. Users must apply the update urgently because Mozilla has confirmed that both the security vulnerabilities are being actively exploited.
The Mozilla Firefox 97.0.2 update contains patches for two zero-day bugs which are currently active. “We have had reports of attacks in the wild abusing [these] flaw[s],” indicated Mozilla in the “Mozilla Foundation Security Advisory 2022-09”.
The Security advisory is light on details, presumably because Mozilla doesn’t want attackers to have access to technical aspects about how to exploit the bugs. Nonetheless, it does offer some details about the two flaws, which are tagged as “Critical”:
- CVE-2022-26485 (Use-after-free in XSLT parameter processing): This bug is been exploited for Remote Code Execution (RCE), implying that attackers with no existing privileges or accounts on a computer can potentially run malware code of their choice on their victims" computers, simply by luring unsuspecting users to an innocent-looking but malware-laced website.
- CVE-2022-26486 (Use-after-free in WebGPU IPC Framework): This bug is part of a "sandbox escape". This sort of security flaw can either be abused on its own (an attacker gains access to files that are supposed to be off-limits) or in combination with an RCE bug to allow seeded malware to escape from the security perimeters deployed by the browser.
Both of the security flaws are listed as “Use-after-free” bugs. In programming terms, this refers to an application indicating its intention to cease access to system memory, essentially, “freeing it up” for other applications to use. However, in some cases, applications may continue using or occupying system memory. This can have a detrimental impact on other applications waiting for their turn to access memory.
Oftentimes, this results in programs crashing, but sometimes, even data can get corrupted. Needless to add, both these situations can be considered security issues. Attackers can also utilize these issues to trick programs into running untrusted code.
To update Mozilla Firefox, head over to the Application Menu, click on Help > About Firefox. As this is a small out-of-band security update, there’s no controlled rollout. Incidentally, besides Firefox v97 for regular users, the update is also applicable for Firefox 91.6.1 ESR (Extended Support Release) and Firefox 97.3.0 for Android.