Firefox patches two in-the-wild exploits – update now! – Naked Security | #firefox | #chrome | #microsoftedge

Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical.

Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:

We have had reports of attacks in the wild abusing [these] flaw[s].

Access to the details of the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.

Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.

As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.