14 DAY TRIAL // Mozilla has released an emergency security update for Firefox browser, as the company says it’s aware of two different vulnerabilities that were discovered in various versions of the app.
In the advisory published this week, Mozilla explains that the new patches are available for Firefox, Firefox ESR, Firefox for Android, and Focus.
The new versions that users can download right now are Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0.
The security vulnerabilities
The first security flaw that’s being patched with these new updates is documented in CVE-2022-26485, and it’s described as a use-after-free in XSLT parameter processing. The bug was reported by Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA, and comes with a critical severity rating.
“Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw,” Mozilla says.
The second vulnerability is labeled as CVE-2022-26486, and it’s a use-after-free in WebGPU IPC Framework. The same security researchers discovered and reported this vulnerability.
“An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw,” Mozilla explains.
The new Firefox versions can be downloaded right now from the typical channels, and it’s worth knowing that no other improvements are part of these updates. In other words, their only focus is to resolve the reported security vulnerabilities, and given they’re both considered to be critical, users are recommended to install them as soon as possible.
In both cases, Mozilla says it’s already aware of attacks happening in the wild and supposed to abuse the flaws, so it goes without saying companies shouldn’t delay the patching by any means.