Two Firefox browser zero-day vulnerabilities which were actively being exploited in the wild were patched. Mozilla stated that these flaws, both use-after-free bugs, have been part of targeted attacks in the wild.
The vulnerabilities which have been rated as critical would have let remote attackers to execute arbitrary code or trigger crashes on devices using Firefox versions prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1.
The bugs which have been dubbed CVE-2020-6819 and CVE-2020-6820 have affected Firefox browser versions running on Windows, macOS and Linux operating systems.
The bug dubbed as CVE-2020-6819, is a use-after free vulnerability linked to the browser component “nsDocShell destructor” which is a client of the nsI-HttpChannel API, a function of the browser related to reading HTTP headers.
The second bug dubbed CVE-2020-6820, is also a use-after-free bug actively being exploited in the wild. Here the attackers target the Firefox browser component ReadableStream, an interface of the Streams API.
The security researchers Francisco Alonso and Javier Marcos of JMP Security have reported these two bugs.
According to a Center for Internet Security bulletin, a successful exploitation of the most severe of these vulnerabilities could let arbitrary code execution. Based on the privileges of the user, an attacker could then install programs; view, alter or delete data; or create new accounts with full user rights. Those users with less user rights could be less impacted than those with administrative user rights.
Patches are available for multiple version of the Firefox browser including: Firefox 74.0.1 for Windows 64-bit, Firefox 74.0.1 for Windows 32-bit, Firefox 74.0.1 for macOS, Firefox 74.0.1 for Linux 64-bit and Firefox 74.0.1 for Linux 32-bit.
All users are highly recommended to update the fixes at the earliest.