Mozilla has released fixes for two critical zero-day flaws in the Firefox browser, which it said cybercriminals are actively exploiting.
The two vulnerabilities are use-after-free errors, a type of memory corruption flaw that stems from the improper allocation for invalid data and that can be triggered by closing a connection while data is still being transmitted. This can lead to numerous malicious consequences, such as data corruption or arbitrary code execution.
“We have had reports of attacks in the wild abusing this flaw,” according to Mozilla in a Saturday advisory. No further details on the attacks have been disclosed.
The first flaw (CVE-2022-26485) is related to the processing of Extensible Stylesheet Language Transformations (XSLT) language parameters. XSLT supports the process of passing parameters to a stylesheet when executing it. The vulnerability occurs when the XSLT parameter is removed during processing, which could lead to an exploitable use-after-free. The second flaw (CVE-2022-26486) occurs in the WebGPU inter-process communication (IPC) framework, which enables webpages to use the system’s GPU for various complex graphics and images on webpages. This vulnerability could enable an exploitable sandbox escape, according to the advisory.
To be exploited, a user would need to either open a specially crafted file or browse to a malicious website," said Dustin Childs, communications Manager with Trend Micro’s Zero Day Initiative program. "The browse-and-own scenario is more likely, as these bugs are the types we normally see in watering hole attacks. These bugs are typically combined with another bug that escalates privileges to take over the target system. As always, we recommend never performing day-to-day tasks, like browsing the internet, while using an account with elevated privileges.
The flaws have been fixed in Firefox 97.0.2, Firefox Extended Support Release (ESR) 91.6.1, Firefox for Android 97.3.0, Thunderbird 91.6.2 and Focus 97.3.0 (Focus is a free and open-source mobile browser from Mozilla). Both were uncovered by Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang of 360 ATA.
Several serious browser vulnerabilities have been discovered - and in some cases, exploited by attackers - over the past few months. In December, Mozilla also released a fix for a critical memory corruption flaw in its NSS cryptographic library, which could have allowed an attacker to execute arbitrary code on vulnerable applications. In October, Google issued fixes for eight security flaws, including two high-severity bugs, which were exploited by attackers.