Mozilla Patches Two Critical Zero-Days in Firefox

The latest release of Firefox brings fixes for two Critical vulnerabilities already seen exploited in the wild.

Mozilla has patched two Critical vulnerabilities in Firefox 74.0.1 and Firefox ESR 68.6.1, released on April 3. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an alert encouraging users and admins to review the advisory and apply the necessary patches.

CVE-2020-6819 and CVE-2020-6820 have been seen exploited in targeted attacks. Both flaws can cause a use-after-free vulnerability, a type of memory corruption flaw attackers can use to execute arbitrary code or potentially enable remote code execution capabilities.

CVE-2020-6819 exists under certain conditions when running the nsDocShell destructor; a race condition can cause a use-after-free vulnerability. CVE-2020-6820 exists under certain conditions when handling a ReadableStream; a race condition can cause a use-after-free flaw. Mozilla did not provide details on how attackers are using these flaws or what their targets are.

Mozilla credits vulnerability researchers Francisco Alonso and Javier Marcos for discovering the vulnerabilities.

Read the full advisory here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Read More HERE