Recently, Mozilla has made an out-of-band security update to the Firefox web browser, which includes two security vulnerabilities with great impact. The data shows that these two vulnerabilities are being widely exploited.
These two zero-day vulnerabilities, traced as CVE-2022-26485 and CVE-2022-26486, are considered to be Use-After-Free vulnerabilities that primarily affect Extensible Stylesheet Language Transformation (XSLT) parameter processing and the WebGPU Interprocess Communication (IPC) framework.
XSLT is an XML-based language used to convert XML documents into web pages or PDF documents, while WebGPU is an emerging web standard and is also considered the successor to the current WebGL JavaScript graphics library.
The following is a specific description of these two defects:
CVE-2022-26485 – Removal of XSLT parameters during processing could lead to exploitable Use-After-Free vulnerability
CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to the Use-After-Free vulnerability and exploitable sandbox escape
By exploiting use-After-Free vulnerabilities, these flaws could be used to corrupt valid data and execute arbitrary code on compromised systems.
Mozilla has acknowledged reports of compromise and confirmed the weaponization of both vulnerabilities, but has not disclosed any technical details related to the intrusion or the identities of the malicious actors who exploited the vulnerabilities.
Regarding the invasion, it is generally believed that Qihoo 360 security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang were the first to discover and report these defects.
In view of the fact that these vulnerabilities are being actively exploited, users are advised to upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Firefox Focus 97.3.0, and Firefox Thunderbird 91.6.2 as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.
