Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address a couple of critical zero-day vulnerabilities, tracked as CVE-2022-26485 and CVE-2022-26485, actively exploited in attacks.
The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.
Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.
Below is the description of both flaws included in the advisory published by Mozilla:
“We have had reports of attacks in the wild abusing this flaw.” reads the advisory for both issues.
Mozilla hasn’t shared details about the attacks.
These vulnerabilities were reported by security researchers from the Chinese cybersecurity firm Qihoo 360 ATA.
Users are commended to install security updates immediately.
(SecurityAffairs – hacking, Mozilla)