Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Two zero-day flaws have been found in the Mozilla Firefox web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2022-26485 and CVE-2022-26486) have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework. Both are critical severity flaws on the CVSS vulnerability-rating scale.
Mozilla acknowledged that "We have had reports of attacks in the wild" weaponizing the two vulnerabilities.
In light of active exploitation of the flaws, if you have a Firefox browser, it is recommended to upgrade as soon as possible to these versions: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, or Thunderbird 91.6.2.
Most Firefox browsers will auto-updated and the update requires the browser to be restarted.
Firefox will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Firefox, click on Settings then General and scroll down to Firefox Updates
If the browser is up-to-date, it will say "Firefox is up to date" and list the version number. Make sure it's at least Firefox 97.0.2, Firefox ESR 91.6.1, or Firefox for Android 97.3.0
One vulnerability (CVE-2022-26485) - Removing an XSLT parameter during processing could lead to an exploitable use-after-free situation. (Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems.)
The other vulnerability (CVE-2022-26486) - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.
(References: https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html, https://www.bitdefender.com/blog/hotforsecurity/mozilla-firefox-97-0-2-update-addresses-two-actively-exploited-zero-day-flaw, cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26485 and cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26486).
Please see the Mozilla Security Advisory webpage for more information.
Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.