Under Active Attack

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.

Cybersecurity

XSLT is an XML-based language used for the conversion of XML documents into web pages or PDF documents, whereas WebGPU is an emerging web standard that's been billed as a successor to the current WebGL JavaScript graphics library.

The description of the two flaws is below –

  • CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free
  • CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape

Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems – stem mainly from a "confusion over which part of the program is responsible for freeing the memory."

Cybersecurity

Mozilla acknowledged that "We have had reports of attacks in the wild" weaponizing the two vulnerabilities but did not share any technical specifics related to the intrusions or the identities of the malicious actors exploiting them.

Security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang of Qihoo 360 ATA have been credited with discovering and reporting the shortcomings.

While targeted attacks leveraging zero-days in Firefox have been a relatively rare occurrence when compared to Apple Safari and Google Chrome, Mozilla previously addressed three actively exploited flaws in 2020 and one in 2019.

In light of active exploitation of the flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.

Update: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.