Mozilla has published Firefox 97.0.2an “out-of-band” update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugswhich means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection. against copycat attacks.
As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
- CVE-2022-26485. Use-after-free in XSLT parameter processing. This bug has apparently already been done exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
- CVE-2022-26486, Use-after-free in WebGPU IPC Framework. This bug has apparently already been done exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it.
… But carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
In the best case, a use-after-free bug typically leads to corrupted data or to a program crash, either of which can be considered a security problems in its own right.
In the worst case, a use-after-free leads to remote code execution, where the data that’s trampled on is wilfully modified by the attackers to trick the program into running untrusted code from outside.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; Click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If you’re on Android, check for updates via the Play Store.
If you’re a Linux user where Firefox is managed by your distro, check your distro creator.
Note that if you are not yet on the latest major version (97.0 for regular Firefox, or 91.6 for the Extended Support Release), you may need to complete the update in multiple stages, so be sure to re-visit the About Firefox dialog after each update has been installed, to make sure you have finished all needed update-and-restart cycles.
