Mozilla Firefox Releases Updates to Address Two Zero-day Vulnerabilities (CVE-2022-26485 & CVE-2022-26486)

Firefox is a free and open-source web browser for Windows, OS X, and Linux, as well as an Android mobile version.
 
Mozilla has released out-of-band software upgrades for its Firefox web browser to address two high-impact security flaws. According to the advisory, both vulnerabilities were actively exploited in the wild. 
 
Mozilla has patched the following zero-day vulnerabilities: 

  • CVE-2022-26485 (XSLT parameter processing use-after-free): Removing an XSLT parameter during processing might have resulted in an exploitable use-after-free vulnerability. XSLT is an XML-based language for converting XML files into web pages or PDF files. 
  • CVE-2022-26486 (WebGPU IPC Framework Use-after-free): An unexpected message in the WebGPU IPC framework could result in a use-after-free and exploitable sandbox escape. WebGPU is a developing web standard that has been marketed as a successor to the current WebGL JavaScript graphics library.

Both zero-day flaws are “use-after-free” vulnerabilities, in which a program attempts to use memory that has already been cleared. On successful exploitation, it can cause the program to crash while also allowing commands to be executed without permission on the device. 
 
Use-after-free flaws are the ones that can be used to corrupt valid data and execute arbitrary code on infected systems. These flaws are caused by a “conflict over which component of the program is responsible for freeing memory,” according to the researchers. 
 
Affected versions  
All the Mozilla Firefox versions prior to Firefox 97.0.2 are affected by this vulnerability. 
 
Mitigation  
Customers can upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 versions to mitigate the vulnerability. For more information, please refer to the Mozilla security advisory.  
 
Qualys Detection  
Qualys customers can scan their devices with QID 376457 and 376458 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/ 
https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html 
https://www.bleepingcomputer.com/news/security/mozilla-firefox-9702-fixes-two-actively-exploited-zero-day-bugs/ 

Leave a Reply

Your email address will not be published. Required fields are marked *