Firefox update patches two zero-day vulnerabilities

Last month, Mozilla released Firefox 74.0 and Firefox ESR 68.6.0. These versions of the web browser include quite a number of security fixes, but they also contain two security vulnerabilities that were unknown to the developers at the time of release. Two JMP Security researchers, Francisco Alonso and Javier Marcos, discovered the vulnerabilities and reported them to Mozilla. The two vulnerabilities are now registered in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-6819 and CVE-2020-6820.

Both vulnerabilities are the result of use-after-free bugs that allow attackers to remotely execute malicious code. The bugs are triggered by improper race conditions, with the browser component at play distinguishing the two vulnerabilities. The first vulnerability involves the nsDocShell destructor, which is related to the reading of HTTP headers, while the second involves the Readable Stream interface of the Streams API. According to Mozilla, "The Streams API allows JavaScript to programmatically access streams of data received over the network and process them as desired by the developer."

Mozilla has now released Firefox 74.0.1 and Firefox ESR 68.6.1, which both contain patches for the two security vulnerabilities. According to Mozilla's security advisory, these vulnerabilities have been exploited by attackers. A statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urges Firefox users to update to Firefox 74.0.1 and Firefox ESR 68.6.1.

The post Firefox update patches two zero-day vulnerabilities appeared first on The Tech Report.