/>
X
Innovation

Mozilla fixes two critical Firefox flaws that are being actively exploited

Mozilla urges all Firefox users to install updates that address critical security flaws.
liam-tung.jpg
Written by Liam Tung, Contributing Writer on

People who use Firefox as one of their browsers should update it now that it's gained patches for two critical flaws that are being exploited in the wild. 

Mozilla just released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 with the security fixes. The bugs are also fixed in Thunderbird 91.6.2. 

Both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws. CVE-2022-26486 could also lead to an exploitable sandbox escape, according to Mozilla

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

"Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw," Mozilla explains. 

"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw."

WebGPU is a browser specification for various interfaces that allow a web page to use a system's GPU for improved graphics. 

Mozilla hasn't released further details, but credits the bug reports to researchers at Chinese security firm Qihoo 360 ATA, Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang.    

While Firefox user numbers are declining, Mozilla performed fairly well in Google Project Zero's analysis of how quickly software vendors fixed bugs. Mozilla patched nine of the 10 bugs affecting its software within 90 days of the initial report. It also took an average 46 days to fix bugs compared to 44 days for Google, 69 days for Apple, and 83 days for Microsoft. 

Looking at browsers, Chrome was the fastest and with 40 fixed bugs it had an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch, while Firefox had eight bugs and a 16.6-day average time to fix. 

Editorial standards

Related

Vulnerability wholesaler cuts disclosure times over poor-quality patches
zdi-timeleines-for-incomplete-patches.png

Vulnerability wholesaler cuts disclosure times over poor-quality patches

The 6 best to-do list apps: Get organized
replace-this-image.jpg

The 6 best to-do list apps: Get organized

Want to ditch LastPass? Here are the best alternatives to try
50144597.jpg

Want to ditch LastPass? Here are the best alternatives to try