Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Firefox Zero-Day Alert: CVE-2022-26485 and CVE-2022-26486
Date
Zero-Day flaws in the Firefox web browser for Windows, Macintosh, and Linux computers
Two zero-day flaws have been found in the Mozilla Firefox web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2022-26485 and CVE-2022-26486) have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework. Both are critical severity flaws on the CVSS vulnerability-rating scale.
Mozilla acknowledged that "We have had reports of attacks in the wild" weaponizing the two vulnerabilities.
In light of active exploitation of the flaws, if you have a Firefox browser, it is recommended to upgrade as soon as possible to these versions: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, or Thunderbird 91.6.2.
Most Firefox browsers will auto-updated and the update requires the browser to be restarted.
Double-check your Firefox Browser is up-to-date
Firefox will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Firefox, click on Settings then General and scroll down to Firefox Updates
If the browser is up-to-date, it will say "Firefox is up to date" and list the version number. Make sure it's at least Firefox 97.0.2, Firefox ESR 91.6.1, or Firefox for Android 97.3.0
Additional Details
One vulnerability (CVE-2022-26485) - Removing an XSLT parameter during processing could lead to an exploitable use-after-free situation. (Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems.)
The other vulnerability (CVE-2022-26486) - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.
(References: https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html, https://www.bitdefender.com/blog/hotforsecurity/mozilla-firefox-97-0-2-update-addresses-two-actively-exploited-zero-day-flaw, cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26485 and cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26486).
Please see the Mozilla Security Advisory webpage for more information.