Firefox 74.0.1 and ESR 68.6.1 Released

by
martyb
from SoylentNews on (#51Q9B)

An Anonymous Coward writes:

Mozilla has released Firefox 74.0.1 and ESR 68.6.1 which include fixes to two exploits which are being used in targeted attacks.

The Release Notes, list two security vulnerabilities. The defects have been assigned Common Vulnerabilities and Exposures IDs: CVE-2017-6819 and CVE-2020-6819.

Mozilla's release notes state:

CVE-2020-6819: Use-after-free while running the nsDocShell destructor

[...] Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.

Bug 1620818.

and:

CVE-2020-6820: Use-after-free when handling a ReadableStream

Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.

[...] Bug 1626728.

According to ZDNet ( Firefox gets fixes for two zero-days exploited in the wild ):

Details about the actual attacks where these two bugs are being exploited are still kept under wraps -- a common practice among software vendors and security researchers, as they focus on delivering patches first and then investigating the attacks further.

Mozilla credited security firm JMP Security and security researcher Francisco Alonso with discovering the two zero-days.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments