Firefox zero day in the wild: patch now (Tor Browser too!) – Naked Security

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.

If youre on the regular version of Firefox, youre looking to upgrade from 74.0 to 74.0.1 and if youre using the Extended Support Release (ESR), you should upgrade from ESR 68.6.0 to ESR 68.6.1.

The Tor Browser followed suit shortly afterwards [updated 2020-04-06T22:30Z], so if youre a Tor user, you want to make sure you upgrade from 9.0.7 to 9.0.8. (See below for screenshots.)

Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.

(If you have ESR version X.Y.0, you essentially remain on the feature set of Firefox X.0, but with all the security fixes that have come out up to and including Firefox (X+Y).0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but dont want to lag behind on security patches.)

What we cant tell you yet are any details about exactly how long ago the bug was found by the attackers, how they are exploiting it, what theyre doing with it, or whos been attacked so far.

Right now, Mozilla is saying no more than this:

The bug details in Mozillas bug database arent open for public viewing yet [2020-04-04T14:30Z], presumably because the Mozilla coders who fixed the flaw have, of necessity, described and discussed it in sufficient detail to make additional exploits very much easier to create.

A use-after-free is a class of bug caused by incautious use of memory blocks by a program.

Usually, a program returns blocks of memory to the operating system after it has finished with them, allowing the memory to be used again for something else.

Returning memory when you are done with it stops your program from hogging more and more RAM the longer it runs until the whole system bogs down.

The function call by which memory is returned to be used again is called free(), and once youve freed the memory, you rather obviously shouldnt access it again.

Most importantly, if you read and trust data that now belongs to another part of the program for example, memory that just got re-allocated as a place to store untrusted content that was downloaded from a web page or generated by JavaScript fetched from outside then you may inadvertently put your code at the mercy of data that was carefully crafted by a crook and served up to trick you on purpose.

Not all use-after-free bugs are exploitable, and not all exploits are made equal for example, an attacker might only be able to change the content of an icon or a message you are about to display, which could be used to deceive users (for example by giving positive feedback when something actually failed), but not to implant malware directly.

But in some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browsers usual security checks or are you sure dialogs.

Thats the most serious sort of exploit, known in the jargon as RCE, short for remote code execution, which means just what it says that a crook can run code on your computer remotely, without warning, even if theyre on the other side of the world.

Were assuming, because these bugs are dubbed critical, that they involve RCE.

What one team of crooks has already found, others might find in turn, especially now they have at least a vague idea of where to start looking.

So, as always, patch early, patch often!

Most Firefox users should get the update automatically, but you might as well check to make sure its there because the act of checking will itself trigger an update if you havent got it yet.

Click the three-bar icon (hamburger menu) icon at the top right, then choose Help > About Firefox.

See the original post:
Firefox zero day in the wild: patch now (Tor Browser too!) - Naked Security