Mozilla fixes two actively exploited zero-day vulnerabilities in Firefox

Big picture: Mozilla has released new versions of its Firefox browser that fixes two critical zero-day vulnerabilities. Both have already been heavily used in the wild, so you need to get a patch as soon as possible to avoid being exposed.

Vulnerabilities flagged CVE-2022-26485 as well as CVE-2022-26486are exploit-after-release (UAF) vulnerabilities reported to Mozilla by Chinese Internet security company Qihoo 360. Basic momentsthese types of vulnerabilities are related to the misuse of dynamic memory during program execution.

Pointers in the program refer to data sets in dynamic memory. If the data set is deleted or moved to another block, but the pointer, instead of being cleared (set to zero), continues to refer to memory that has already been freed, the result is a dangling pointer. If the program then allocates the same chunk of memory to another object (for example, data entered by an attacker), the dangling pointer will now point to this new set of data. In other words, UAF vulnerabilities allow code substitution.

CVE-2022-26485 pertains to a UAF vulnerability in XSLT parameter handling and another pertains to UAF in a WebGPU PIC environment. Mozilla in his security consultant said they have reports of attacks in the wild using both bugs.

You can get the latest version of Mozilla Firefox for your platform of choice from our downloads page, or you can update manually through Firefox’s integrated help menu.

Mozilla’s Firefox has lost significant market share over the last decade or so. According to StatCounter, at the end of 2010, roughly a third of desktop computers worldwide were running Firefox. A year later, Google’s Chrome has skyrocketed in popularity, surpassing Firefox. By mid-2012, Chrome had overtaken Microsoft Internet Explorer and hasn’t looked back.

As of last month, Firefox accounted for just 9.46% of the global desktop browser market. Meanwhile, industry leader Chrome was used on 64.91% of computers.

Image credit Nata Figueiredo

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button