Firefox has a fire: Two critical zero-day vulnerabilities discovered

The Firefox web browser contains two critical vulnerabilities that are already being exploited by attackers. An update is available and should be installed immediately.

The Mozilla Foundation points out two security vulnerabilities in the current versions of its web browser Firefox. The two vulnerabilities are of the so-called ‘use-after-free’ type and could be used to execute malicious code in the browser on the user’s system.

The advisory states that Firefox attacks that exploit these vulnerabilities have already been observed, so users should update as soon as possible. The two vulnerabilities are assigned CVE numbers 2020-6819 and 2020-6820. 74.0.1 of the current Firefox browser and 68.6.1 of the ISR branch of Firefox have been sealed (in all operating systems: Windows, macOS and Linux).

Francisco Alonso of revskills and Javier Marcos of JMPSec reported the vulnerabilities, which concern possible race conditions when using the nsDocShell destructor and when handling a ReadableStream. On Twitter Alonso points out that other browsers might be affected as well. At the moment there are no further details about the vulnerabilities, but they will follow soon. Already in January this year there was a critical vulnerability in Firefox.