Mozilla fixes two use-after-free zerodays in Firefox
Mozilla has fixed two vulnerabilities in Firefox that could allow a remote attacker to take over an entire system. Many details about the bugs are unknown, but the browser maker says the vulnerabilities were actively exploited in the wild.
Mozilla has opened two separate bug trackers for the vulnerabilities. No detailed information is available for either. These are CVE-2020-6819 and CVE-2020-6820. Both bugs are use-after-free and target memory corruption. The first vulnerability uses the nsDocShell destructor, the other from ReadableStream. Both functions can cause a use-after-free. This would make it possible to take over a user’s system by only visiting a certain website. Two security researchers discovered the vulnerabilities, but have not disclosed any details about them yet. Those will follow later. The researchers also say they have information about the same type of vulnerability in other browsers.
Mozilla says it has evidence that the zerodays were actively being abused in the wild, but no details are known about that either. The company recommends that all users update Firefox to version 74.0.1 or Firefox ESR 68.6.1.