Friday12 August 2022

Firefox Users Urged to Update to Version 97.0.2 over two Use After free Vulnerabilities Found Exploited in the Wild

Reading time is around minutes.

Mozilla is urging users to update to the latest version of Firefox after two vulnerabilities (CVE-2022-26485 and CVE-2022-26486) have been found to be actively exploited in the wild. Both vulnerabilities are listed as use-after-free vulnerabilities. This type of vulnerability relies on issues in determining which part of an application is responsible for cleaning up used memory. By leveraging this an attacker can set up a situation where they can re-use a part of memory that was freed up by a legitimate process.

While the two vulnerabilities are both related to memory usage and control, they are in two different components. CVE-2022-26485 is a flaw in the XLST (Extensible Stylesheet Language Transformation) component. This component is used to convert XML into a readable web page or PDF. By removing a parameter for XSLT during processing an attacker could leave the browser in an exploitable state due to the way memory is handled.

On the other hand, CVE-2022-26486 is related to the WebGPU IPC (inter-process communication) framework. WebGPU has been touted as the logical successor to the current WebGL library. In this case the attacker can insert an unexpected message to create the same exploitable situation as well as allowing a sandbox escape.

Memory handling flaws are a popular target in browsers and other software as they are not overly complicated to attack. In the few we have seen in 2022 there is no real heavy lift on the part of the attacker to get the flaw in play. This makes them attractive targets as they can have a high payoff for not a lot of effort. If you are using Firefox or Thunderbird, you should update these now to ensure you are not open to attack.

Happy Patching.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.