Mozilla fixes two Firefox zero-days being actively exploited

Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes

Firefox icon

Mozilla has moved fast to fix two Firefox browser zero-day vulnerabilities being actively exploited in the wild.

The flaws are both "use-after-free" vulnerabilities that could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable versions of the Firefox browser.

The first bug, tracked as CVE-2020-6819, is tied to the browser component “nsDocShell destructor”, while the second zero-day, CVE-2020-6820, is linked to a race condition in the ReadableStream class, which is used to read a stream of data.

As per Mozilla's security advisory, the Firefox developers "are aware of targeted attacks in the wild abusing" these two critical flaws. However, details about the actual attacks where these two bugs are being exploited are still kept under wraps.

“Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution,” according to a Center for Internet Security bulletin

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely also affect other web browsers. 

Fixes are available in Firefox 74.0.1 and are also available for Firefox 68 users with version 68.6.

Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, which it also warned was being used in targeted attacks. This critical flaw, branded CVE-2019-17026, allowed an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021