The big picture: Mozilla has released new versions of its Firefox browser that correct a pair of critical zero-day vulnerabilities. Both have already been actively exploited in the wild, so you’ll want to grab the patch ASAP to avoid exposure.
The vulnerabilities, labeled CVE-2022-26485 and CVE-2022-26486are both use-after-free (UAF) vulnerabilities that were reported to Mozilla by Chinese Internet security company Qihoo 360. As Kaspersky highlightsthese types of vulnerabilities relate to the incorrect use of dynamic memory during a program’s execution.
Pointers in a program refer to data sets in dynamic memory. If a data set is deleted or moved to another block but the pointer, instead of being cleared (set to null), continues to refer to the now-freed memory, the result is a dangling pointer. If the program then allocates this same chunk of memory to another object (for example, data entered by an attacker), the dangling pointer will now reference this new data set. In other words, UAF vulnerabilities allow for code substitution.
CVE-2022-26485 relates to a UAF flaw in XSLT parameter processing, while the other deals with UAF in the WebGPU PIC framework. Mozilla in its security advisory said they have reports of attacks in the wild utilizing both bugs.
You can grab the latest version of Mozilla Firefox for your platform of choice over on our downloads page or update manually through Firefox’s integrated help menu.
Mozilla’s Firefox has given up significant market share over the last decade or so. According to StatCounter, roughly a third of desktops worldwide used Firefox at the end of 2010. A year later, Google’s Chrome shot up in popularity and passed Firefox. By mid-2012, Chrome passed Microsoft’s Internet Explorer and hasn’t looked back.
As of last month, Firefox accounted for just 9.46 percent of the global desktop browser market. Industry leader Chrome, meanwhile, was used on 64.91 percent of machines.
Image credit Nata Figueiredo