People who use Firefox as one of their browsers should update it now that it has gotten fixes for two critical flaws that are being exploited.
Mozilla has just released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0 and Focus 97.3.0 with security fixes. Bugs are also fixed in Thunderbird 91.6.2. Both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws. CVE-2022-26486 could also lead to an exploitable sandbox breakout, according to Mozilla.
“Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We’ve had reports of in-the-wild attacks abusing this flaw,” Mozilla explains. “An unexpected message in the WebGPU IPC framework could have led to a use-after-free and exploitable sandbox escape. We have had reports of wildfire attacks abusing this flaw.”
Mozilla good student in the analysis of Google Project Zero
WebGPU is a browser specification for various interfaces that allow a web page to use a system’s GPU for enhanced graphics.
Mozilla did not release additional details, but attributes the bug reports to researchers at Chinese security firm Qihoo 360 ATA Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang.
Although Firefox user numbers are down, Mozilla did fairly well in Google’s Project Zero analysis of how quickly software vendors fixed bugs. Mozilla fixed nine of the ten bugs affecting its software within 90 days of the initial report. It also took an average of 46 days for it to fix bugs, compared to Google’s 44 days, Apple’s 69 days, and Microsoft’s 83 days.
When it comes to browsers, Chrome is the fastest, and with 40 bugs fixed, the average time to fix is 5.3 days. WebKit has 27 bugs and an average fix time of 11.6 days, while Firefox has eight bugs and an average fix time of 16.6 days.
Source: “ZDNet.com”