Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)

Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486) exploited by attackers in the wild.

About the vulnerabilities (CVE-2022-26485, CVE-2022-26486)

The two patched zero-days are both memory corruption bugs of the “use-after-free” kind, meaning that they may allow attackers to use memory that has been freed by the program.

CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.

CVE-2022-26486 affects the WebGPU IPC Framework and allows attackers to perform a sandbox escape.

Both flaws have been reported by Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA, so it seems safe to assume they are being used together to compromise machines remotely and allow malware to escape the application’s security sandbox.

Mozilla has chosen not to share more details about the vulnerabilities or the attacks, and has urged users to upgrade to:

• Firefox 97.0.2
• Firefox ESR 91.6.1
• Firefox for Android 97.3
• Focus 97.3
• Thunderbird 91.6.2

Updating the software

While the number of Firefox users has been steadily declining over the last decade, it is still used by millions of users. According to Mozilla’s user activity statistics, nearly 215 million Firefox desktop clients have been active in the past 28 days.

Firefox releases major updates roughly every 50 days, but if the situation warrants – like in this case – out-of-band security updates are pushed out.

Users of the affected software should check for this one and implement it as soon as possible.