news firefox update patches two zero day vulnerabilities

Firefox update patches two zero-day vulnerabilities

Last month, Mozilla released Firefox 74.0 and Firefox ESR 68.6.0. These versions of the web browser include quite a number of security fixes, but they also contain two security vulnerabilities that were unknown to the developers at the time of release. Two JMP Security researchers, Francisco Alonso and Javier Marcos, discovered the vulnerabilities and reported them to Mozilla. The two vulnerabilities are now registered in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-6819 and CVE-2020-6820.

Both vulnerabilities are the result of use-after-free bugs that allow attackers to remotely execute malicious code. The bugs are triggered by improper race conditions, with the browser component at play distinguishing the two vulnerabilities. The first vulnerability involves the nsDocShell destructor, which is related to the reading of HTTP headers, while the second involves the Readable Stream interface of the Streams API. According to Mozilla, “The Streams API allows JavaScript to programmatically access streams of data received over the network and process them as desired by the developer.”

Mozilla has now released Firefox 74.0.1 and Firefox ESR 68.6.1, which both contain patches for the two security vulnerabilities. According to Mozilla’s security advisory, these vulnerabilities have been exploited by attackers. A statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urges Firefox users to update to Firefox 74.0.1 and Firefox ESR 68.6.1.

One response to “Firefox update patches two zero-day vulnerabilities

  1. Most browsers after a bug: Your getting rusty!
    Firefox after a bug: You’re not Rusty enough!

Leave a Reply

Your email address will not be published.

Nathan Wasson

Inquiring mind, tech journalist, car enthusiast, gamer.