Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape

Mozilla has released an emergency update for its Firefox browser that addresses two critical security vulnerabilities that cybercriminals have actively exploited in the wild as zero days.

Both are use-after-free bugs, which are memory-corruption issues that occur when an application continues to try to use a chunk of memory that was assigned to it, after said chunk was freed up for use by a different application. This kind of problem can lead to remote code execution (RCE), data corruption and system crashes.

The first bug addressed by Mozilla, CVE-2022-26485, is a use-after-free problem in the browser’s XSLT parameter processing. XSLT parameters are used for creating stylesheets that are used to determine the look and feel of a website.

“Removing an XSLT parameter during processing could have led to an exploitable use-after-free,” according to Mozilla’s advisory over the weekend.

The second bug, CVE-2022-26486, is a use-after-free issue in the WebGPU IPC Framework. WebGPU is a web API that supports multimedia on webpages by employing a machine’s Graphics Processing Unit (GPU). It’s used to support gaming, video conferencing and 3D modeling, among other things.

“An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape,” according to Mozilla.

The company didn’t provide much in the way of technical details, presumably to make exploitation all the more difficult for bad actors. However, Paul Ducklin, senior technologist with Sophos, offered some notes.

The first bug, he said, is being exploited in the wild for RCE, “implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.”

The second is being used for sandbox escape, as noted by Mozilla.

“This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse,” Ducklin noted in a Saturday overview.

Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang of 360 ATA reported the issues.

Both bugs are fixed in the following versions, and users should update immediately:

• Firefox 97.0.2
• Firefox ESR 91.6.1
• Firefox for Android 97.3
• Focus 97.3
• Thunderbird 91.6.2

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVEThreatpost eventsked for Thurs., March 10 at 2PM ET. Join Sonatype codeexpert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.