Firefox gets fixes for two zero-days exploited in the wild

April 04, 2020

Firefox users are advised to update their browsers to patch two bugs that are being exploited in the real world by hackers.

The fixes are available in Firefox 74.0.1, released earlier today. This new Firefox version includes fixes for CVE-2020-6819 and CVE-2020-6820, two bugs that reside in the way Firefox manages its memory space.

The bugs are so-called user-after-free vulnerabilities, which allow hackers to place code inside Firefox’s memory and have it executed in the browser’s context. Such bugs can be exploited to run code on victim’s devices, although the impact and reach of such code usually varies.

Details about the actual attacks where these two bugs are being exploited are still kept under wraps — a common practice among software vendors and security researchers, as they focus on delivering patches first and then investigating the attacks further.

Mozilla credited security firm JMP Security and security researcher Francisco Alonso with discovering the two zero-days.

In a tweet today, Alonso suggested that the bugs discovered today might also impact other browsers, although it is unclear if those browsers have been exploited as well.

There is still lots of work to do and more details to be published (including other browsers). Stay tuned.

— Francisco Alonso (@revskills) April 3, 2020

This is the second zero-day that Mozilla patches in Firefox this year. It patched another bug in January, with the release of Firefox v72.0.1. That bug was exploited to attack users in China and Japan as part of a state-sponsored cyber-espionage campaign, according to reports published by Qihoo 360 and Japan CERT.