Firefox is a free and open-source web browser for Windows, OS X, and Linux, as well as an Android mobile version.
Mozilla has released out-of-band software upgrades for its Firefox web browser to address two high-impact security flaws. According to the advisory, both vulnerabilities were actively exploited in the wild.
Mozilla has patched the following zero-day vulnerabilities:
- CVE-2022-26485 (XSLT parameter processing use-after-free): Removing an XSLT parameter during processing might have resulted in an exploitable use-after-free vulnerability. XSLT is an XML-based language for converting XML files into web pages or PDF files.
Both zero-day flaws are “use-after-free” vulnerabilities, in which a program attempts to use memory that has already been cleared. On successful exploitation, it can cause the program to crash while also allowing commands to be executed without permission on the device.
Use-after-free flaws are the ones that can be used to corrupt valid data and execute arbitrary code on infected systems. These flaws are caused by a “conflict over which component of the program is responsible for freeing memory,” according to the researchers.
All the Mozilla Firefox versions prior to Firefox 97.0.2 are affected by this vulnerability.
Customers can upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 versions to mitigate the vulnerability. For more information, please refer to the Mozilla security advisory.
Qualys customers can scan their devices with QID 376457 and 376458 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.