Firefox update fixes two nasty security vulnerabilities, so patch now

Firefox
Image credit: Mozilla (Image credit: Mozilla)

Mozilla has released four new updates in an attempt to patch two critical Firefox vulnerabilities that are allegedly being exploited in the wild. 

Firefox 97.0.2., Firefox ESR 91.6.1., Firefox for Android 97.3.0., and Focus 97.3.0, have been launched addressing two serious zero-day flaws.

The zero-days in question are described as “Use-after-free”, bugs which, when abused, crash the browser while giving the attacker the ability to run any commands without permission. That means a threat actor could potentially abuse the flaw to run malware, ransomware, or any other malicious code on the target endpoint. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Malicious redirects

With these patches, Mozilla addressed CVE-2022-26485, and CVE-2022-26486, without going into detail on how exactly they’re being abused in the wild, aside from saying their use has been reported on. 

Whatever the case may be, users are advised to patch up immediately, to prevent falling victim. They can do that by going to Firefox menu > Help > About Firefox, where the browser will automatically look for new updates and install them. 

The updates are also available for download on these links:

Being the actual window to the internet, browsers are often in the crosshairs for hackers. Mozilla was forced to block access to two popular add-ons which had around a million users in late 2021 following reports they had been compromised. 

Bypass and Bypass XM, two add-ons that were allegedly using reverse-proxies to allow users to access paywalled content, were said to be misusing the proxy API, thus interfering with the browser’s update functionality.

As users were prevented from downloading updates for the browser, as well as from accessing updated blocklists, the add-ons placed them in harm’s way. 

 Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.