Mozilla Patches Two Actively Exploited Firefox Zero-Days

Mozilla released Firefox 74.0.1 and Firefox ESR 68.6.1 earlier to address two critical vulnerabilities actively abused in the wild that could lead to remote code execution on vulnerable machines.

The two security flaws fixed today could potentially allow attackers to execute arbitrary code or trigger crashes on machines running vulnerable Firefox versions.

As Mozilla's security advisory says, the Firefox developers "are aware of targeted attacks in the wild abusing" these two vulnerabilities with a Critical severity rating.

The Firefox and Firefox ESR zero-day flaws fixed by Mozilla today were reported by Francisco Alonso working with Javier Marcos of JMP Security.

Update to Firefox 74.0.1 and ESR 68.6.1. We (@javutin) reported two 0-days exploited in the wild. Thanks to @mozilla for quick fixes and hard work. 1/n https://t.co/00V9gyYVXo

— Francisco Alonso (@revskills) April 3, 2020

The first one, tracked as CVE-2020-6819, is due to a use-after-free bug caused by a race condition when running the nsDocShell destructor.

The second fixed zero-day, tracked as CVE-2020-6820, is also induced by a use-after-free error generated by a race condition when handling a ReadableStream.

Remote unauthenticated attackers can trick potential victims into visiting a maliciously crafted website to trigger these two vulnerabilities and, subsequently, execute arbitrary code on devices running unpatched versions of Firefox.

Successful exploitation of one of these vulnerabilities may enable the attackers to compromise the vulnerable systems.

While no additional info on how these flaws were exploited is available at the moment, seeing that they are rated as critical and currently exploited in the wild, all users should install the patched Firefox 74.0.1 release.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert saying that "an attacker could exploit this vulnerability to take control of an affected system," and encouraging users to apply the security update.

You can do that by manually checking for the new update by going to the Firefox menu -> Help -> About Firefox and hitting the update button.

You can also download the latest patched version for Windows, macOS, and Linux from the following links:

• Firefox 74.0.1 for Windows 64-bit
• Firefox 74.0.1 for Windows 32-bit
• Firefox 74.0.1 for macOS
• Firefox 74.0.1 for Linux 64-bit
• Firefox 74.0.1 for Linux 32-bit

Mozilla patched another actively exploited Firefox zero-day with the release of Firefox 72.0.1 in January, also used in targeted attacks.

In June 2019, Mozilla patched two actively exploited zero-day vulnerabilities used in targeted attacks against cryptocurrency firms such as Coinbase.

Back in 2016, Mozilla patched yet another zero-day exploited in the wild with the release of Firefox 50.0.2, while the Tor Project released Tor Browser 6.0.7 to fix the same issue.