Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims' computers

Update now before it's too late

Mozilla has released security updates for its Firefox browser in conjunction with a US Cybersecurity and Infrastructure Security Agency (CISA) advisory warning that critical vulnerabilities in the browser are being actively exploited.

"An attacker could exploit these vulnerabilities to take control of an affected system," US CISA said, without providing any specific details about the two bugs. "These vulnerabilities have been detected in exploits in the wild."

To address these flaws, Firefox was updated to version 74.0.1 and Firefox Extended Support Release (ESR) – a slower evolving version for enterprises – was updated to 68.6.1. Firefox users should automatically receive these updates unless this capability has been disabled. Users can also check their version of Firefox via the Firefox -> About Firefox menu and manually initiate an update if one is available.

The bugs were reported by security researchers Francisco Alonso and Javier Marcos, the latter affiliated JMPSec. Reached via Twitter, Marcos declined to comment further.

"We had a report that these exploits were being used on a malicious site in targeted attacks," Mozilla spokesperson said in an email to The Register. "We have remedied the situation. We shipped a Firefox update out of cycle in an abundance of caution."

Twitter logo and fingerprints

If you use Twitter with Firefox in a shared computer account, you may have slightly spilled some private data on that PC


Mozilla's Security Advisory identifies two CVEs: CVE-2020-6819: Use-after-free() while running the nsDocShell destructor and CVE-2020-6820: Use-after-free() when handling a ReadableStream.

The bugs involve race conditions that can lead to use-after-free() errors.

A race condition in the context of software describes an error arising from events happening in an unintended or undesirable sequence. For example, if two threads access the same variables or objects at the same time, one could change a value before the other is supposed to read that value, leading to execution taking the wrong turn.

And a use-after-free() error involves accessing a block of allocated memory after it has been freed. Because these bugs are considered critical, it's likely they could be exploited by malicious websites to run arbitrary code, such as malware or spyware, on the computers of visitors using vulnerable versions of Firefox.

Mozilla declined to provide more details about the bugs. Details are not available to the public via the Firefox bug tracking system, which suggests they're serious enough that those involved wish to keep the specific secret while the updates get distributed.

Firefox recently slipped to third place in the browser popularity race, displaced by Microsoft Edge, which was replatformed last year onto the open source Chromium project.

In January, Mozilla laid off 70 people, including its quality assurance leads. ®

PS: Google fixed three high-severity security holes in Chrome at the end of last month, though these were not under active attack at the time, as far as we can tell.

Similar topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022