- Firefox fixed two zero-day “use-after-free” flaws that were under exploitation in the wild.
- The particular flaws may affect other Web browsers too, but no technical details have been shared yet.
- A security issue affecting Twitter users and the risk of sensitive data disclosure has also been plugged.
Mozilla has released Firefox version 74.0.1 and ESR (extended support release) 68.6.1, which fixes two “use-after-free” vulnerabilities that were already under active exploitation in the wild. Both of the fixed flaws classify as critical, and their identifiers are “CVE-2020-6819” and “CVE-2020-6820.” The first one resides in the nsDocShell destructor, while the second one concerns the way ReadableStreams are handled. “Use-after-free” flaws are attacks that abuse memory access after it has been freed, causing program crashes and/or enabling malicious actors to execute code remotely and arbitrarily.
Mozilla didn’t unveil much on who’s exploiting these flaws, or who the targets are. Not much information was disclosed regarding the time when the exploits started either, so we don’t know for how long these actors have been using these zero-days to run code on other people’s computers. Obviously, for technical details to arise, the community will have to update their browsers first, and this may take a while to do. Interestingly, the researchers who have informed Mozilla about the two vulnerabilities did mention “other browsers” in a recent tweet, so there is a possibility that other browsers are also affected by the same problems. Still, the researchers have praised Firefox for patching the discovered flaws almost immediately, considering everyone is working remotely right now.
— Francisco Alonso (@revskills) April 3, 2020
Another fixed problem had to do with the way Firefox stored cache data and the potential of non-public information disclosure. Twitter informed people about the possibility of having their data compromised if they accessed their social media account via a shared or public computer using Mozilla Firefox. If you did, and you received or sent direct messages (DMs), this information may be retrievable from Firefox’s cache for up to seven days. The same applies to any Twitter data archive downloads that are handled in the same way. Twitter has worked with Mozilla to fix the issue, but users are still advised to clear the browser cache every time they are accessing their accounts from public computers.
Firefox didn’t enter a development freeze state as Chrome did, and the upcoming version 75 is expected to bring a revamped address bar with dynamic links expansion, small-screen search bar optimizations, and various interface-related improvements. Mozilla is still trying to cope with the competition that’s now pushing it aside, with Microsoft Edge proving to be a threat out of nowhere, and a real market contender.