Critical Firefox Zero-Day Flaws Are Being Actively Exploited In The Wild, Patch ASAP

Firefox logo on purple background with a bandaid
If you wait long enough, your software programs, utilities, and operating system will all take the initiative to apply any applicable updates, depending on how you have things configured. Even if you rely on automatic updates, though, sometimes you should still take matters into your own hands. Such is the case now if you're using the Firefox browser or Thunderbird email client.

Mozilla has released a patch to address a pair of critical security flaws that could enable bad actors to do bad things to your PC. That's reason enough to fast track updating your browser. Providing added motivation, Mozilla points out that it has received reports of attacks in the wild leveraging both zero-day security vulnerabilities.

In other words, these are serious security holes and hackers are privy to them. The two flaws, labeled as CVE-2022-26485 and CVE-2022-26486, are both use-after-free memory exploits. One affects the Extensible Stylesheet Language Transformation (XSLT) parameter processing and the other applies to the WebGPU inter-process communication (IPC) framework in Firefox.

"Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw," Mozilla explains.

Likewise, the browser maker notes, "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape," and says it also received reports of this one being abused in the wild.

Both flaws were discovered by Qihoo 360 ATA researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang. Mozilla and Qihoo 360 ATA have not yet released technical details of the zero-day bugs, as it is common to withhold such information until the bulk of users (in this case, Firefox users) have had a chance to apply the patch.

Firefox Browser Update Window
Affected users are highly advised to upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 37.3.0, and Thunderbird 91.6.2. To force the issue, click on the three horizontal bars in the upper-right corner of Firefox and navigate to Help > About Firefox. This will initiate downloading the latest update, with the option to restart your browser to apply the patch(es). The process in Thunderbird is the same (except it will say About Thunderbird, obviously).

You can use this same method to verify you have the latest release installed.