Mozilla has been pushed out of range Software updates to its Firefox web browser for containing high-impact security holes, both of which it says are actively exploited in the wild.
Zero-day defects tracked as CVE-2022-26485 and CVE-2022-26486 Usage issues after free Impact on Extensible Stylesheet Language Transformations (XSLT) processing parameters and WebGPU interprocess communication (IPC) framework.
The two defects are described below –
- CVE-2022-26485 – Removing the XSLT parameter during processing may result in exploitable use after use
- CVE-2022-26486 – An unexpected message in the WebGPU IPC framework can lead to a useless and exploitable sandbox escape
Usage errors – which can be exploited to corrupt valid data and execute arbitrary code on compromised systems – mainly stem from “confusion about which part of the program is responsible for freeing memory”.
Mozilla acknowledged that “we have reports of attacks in the wild” that weaponize both vulnerabilities but has not shared any technical details of the breaches or the identities of the malicious actors exploiting them.
Security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang of Qihoo 360 ATA are credited with discovering and reporting the shortcomings.
In view of the active exploitation of flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0 and Thunderbird 91.6.2.
“Certified food guru. Internet maven. Bacon junkie. Tv enthusiast. Avid writer. Gamer. Beeraholic.”