Mozilla fixes two Firefox zero-days being actively exploited

Critical vulnerabilities allow attackers to execute arbitrary code or trigger crashes

Firefox icon

Mozilla has moved fast to fix two Firefox browser zero-day vulnerabilities being actively exploited in the wild.

The flaws are both "use-after-free" vulnerabilities that could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable versions of the Firefox browser.

The first bug, tracked as CVE-2020-6819, is tied to the browser component “nsDocShell destructor”, while the second zero-day, CVE-2020-6820, is linked to a race condition in the ReadableStream class, which is used to read a stream of data.

As per Mozilla's security advisory, the Firefox developers "are aware of targeted attacks in the wild abusing" these two critical flaws. However, details about the actual attacks where these two bugs are being exploited are still kept under wraps.

“Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution,” according to a Center for Internet Security bulletin

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely also affect other web browsers. 

Fixes are available in Firefox 74.0.1 and are also available for Firefox 68 users with version 68.6.

Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, which it also warned was being used in targeted attacks. This critical flaw, branded CVE-2019-17026, allowed an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020