Hackers have been found exploiting a pair of previously unknown vulnerabilities in the Firefox browser to hijack computers.
Details about the flaws remain thin, but they can trigger a “race condition,” resulting in a dangerous state for the browser. If exploited, the errors can then cause the system to crash or prompt Firefox to execute computer code, paving the way for a hacker to manipulate your PC into downloading additional malware.
“We are aware of targeted attacks in the wild abusing this flaw,” Firefox developer Mozilla said in a warning on Friday describing both vulnerabilities.
Specifically, the problem deals with how the browser handles RAM memory blocks. To prevent hogging system resources, a program normally returns the memory blocks after completing an operation.
The same program should also never re-access a freed memory block that’s currently occupied by another program, notes security firm Sophos. But apparently, Firefox is mistakenly accessing the memory blocks when the software is processing data via the “nsDocShell destructor,” and when handling a “Readable Stream.” The effect creates a “use-after-free” vulnerability, which can potentially cause the program to run untrusted code from a memory block.
“In some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or ‘are you sure’ dialogs,” Sophos added.
According to Mozilla, the flaws only work under certain conditions. Nevertheless, both vulnerabilities have been rated as critical. Fortunately, the company has released a patch, which should automatically roll out to users as Firefox versions 74.0.1 and Firefox ESR 68.6.1.
To check if you’ve upgraded, go to the browser’s help button in Windows, and click “About Firefox” to see which version you’re on. On macOS, go to the preferences panel, and scroll down to view the version number.
The security researchers who uncovered the vulnerabilities are promising to release more details, which might reveal how hackers are actually delivering the attacks. The researchers are also indicating other browsers might be affected as well.