This article is more than 1 year old

Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims' computers

Update now before it's too late

Mozilla has released security updates for its Firefox browser in conjunction with a US Cybersecurity and Infrastructure Security Agency (CISA) advisory warning that critical vulnerabilities in the browser are being actively exploited.

"An attacker could exploit these vulnerabilities to take control of an affected system," US CISA said, without providing any specific details about the two bugs. "These vulnerabilities have been detected in exploits in the wild."

To address these flaws, Firefox was updated to version 74.0.1 and Firefox Extended Support Release (ESR) – a slower evolving version for enterprises – was updated to 68.6.1. Firefox users should automatically receive these updates unless this capability has been disabled. Users can also check their version of Firefox via the Firefox -> About Firefox menu and manually initiate an update if one is available.

The bugs were reported by security researchers Francisco Alonso and Javier Marcos, the latter affiliated JMPSec. Reached via Twitter, Marcos declined to comment further.

"We had a report that these exploits were being used on a malicious site in targeted attacks," Mozilla spokesperson said in an email to The Register. "We have remedied the situation. We shipped a Firefox update out of cycle in an abundance of caution."

Twitter logo and fingerprints

If you use Twitter with Firefox in a shared computer account, you may have slightly spilled some private data on that PC


Mozilla's Security Advisory identifies two CVEs: CVE-2020-6819: Use-after-free() while running the nsDocShell destructor and CVE-2020-6820: Use-after-free() when handling a ReadableStream.

The bugs involve race conditions that can lead to use-after-free() errors.

A race condition in the context of software describes an error arising from events happening in an unintended or undesirable sequence. For example, if two threads access the same variables or objects at the same time, one could change a value before the other is supposed to read that value, leading to execution taking the wrong turn.

And a use-after-free() error involves accessing a block of allocated memory after it has been freed. Because these bugs are considered critical, it's likely they could be exploited by malicious websites to run arbitrary code, such as malware or spyware, on the computers of visitors using vulnerable versions of Firefox.

Mozilla declined to provide more details about the bugs. Details are not available to the public via the Firefox bug tracking system, which suggests they're serious enough that those involved wish to keep the specific secret while the updates get distributed.

Firefox recently slipped to third place in the browser popularity race, displaced by Microsoft Edge, which was replatformed last year onto the open source Chromium project.

In January, Mozilla laid off 70 people, including its quality assurance leads. ®

PS: Google fixed three high-severity security holes in Chrome at the end of last month, though these were not under active attack at the time, as far as we can tell.

More about


Send us news

Other stories you might like