{"id":18444,"date":"2022-03-07T13:10:04","date_gmt":"2022-03-07T21:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12177\/"},"modified":"2022-03-07T13:10:04","modified_gmt":"2022-03-07T21:10:04","slug":"news-12177","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12177\/","title":{"rendered":"Update now! Mozilla patches two actively exploited vulnerabilities"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Mon, 07 Mar 2022 20:25:18 +0000<\/strong><\/p>\n

Mozilla has announced<\/a> it has fixed security vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0. Users should install the out-of-band security update as soon as possible, since it is designed to apply a fix for two vulnerabilities that are known to be exploited in the wild.<\/p>\n

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:<\/p>\n

CVE-2022-26485<\/h2>\n

The vulnerability listed under CVE-2022-26485<\/a> can be triggered by removing an XSLT parameter during processing which could lead to an exploitable use-after-free.<\/p>\n

In the Extensible Markup Language (XML) the <xsl:param> element is used to declare a local or global parameter. XML is a markup language much like HTML and XML was designed to store and transport data. The XSLT <xsl:param><\/em> and <xsl:with-param><\/em> elements allow you to pass parameters to a template.<\/p>\n

Use-after-free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.<\/p>\n

CVE-2022-26486<\/h2>\n

The vulnerability listed under CVE-2022-26486<\/a> can be exploited by sending an unexpected message in the WebGPU IPC framework which in turn could lead to a use-after-free and exploitable sandbox escape.<\/p>\n

WebGPU exposes an API for performing operations, such as rendering and computation, on a Graphics Processing Unit. Interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. WebGPU sees physical Graphics Processing Units (GPUs) hardware as GPUAdapters. It provides a connection which manages resources, and the device\u2019s GPUQueues, which execute commands.<\/p>\n

The idea of browser sandboxes is to shield the system from the malware attacking the browser. They do this by containing any malicious code that originates from visiting a website, in the sandbox part of the browser. As soon as the sandbox is closed, everything inside it is erased, including the malicious code.<\/p>\n

So, the ability to escape the application\u2019s security sandbox is valuable to an attacker as it can be chained with other vulnerabilities to take over the target system. Since these two vulnerabilities were reported by the same researchers, it seems highly likely they were used together in online attacks for exactly that purpose.<\/p>\n

Critical<\/h2>\n

These vulnerabilities are rated critical and that is very likely because they are being exploited in the wild. From the descriptions, we would deduce that these bugs are critical because they could allow a remote attacker to execute almost any command, including the downloading of malware to provide further access to the device. So, there are compelling reasons to apply this update as soon as possible<\/p>\n

Mitigation<\/h2>\n

The affected Mozilla products need to be updated to the versions listed below.<\/p>\n