For the past few months, web browsers are being repeatedly targeted by bad actors and hackers. Security errors in popular browsers including Google Chrome and Apple Safari have been spotted in the recent past. These flaws were actively exploited as well. Most recently, the web browser Mozilla Firefox has launched a bunch of software updates to fix two critical security vulnerabilities.
These errors are called CVE-2022-26485 and CVE-2022-26486. These errors are classified as zero-day errors, which means that they have been exploited before the developers or the security team of the web browser identified them. The use-after-free issues impact the Extensible Stylesheet Language Transformations and the WebGPU inter-process communication framework.
Two zero-day errors fixed by Mozilla Firefox
As mentioned on the official website of Mozilla Firefox, the vulnerabilities have been fixed in the latest version of Firefox 97.0.2 and users are advised to update immediately. The impact of both these errors is termed as critical. The reporters of these errors are Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA. Find the full description of the security errors given below, along with the name of the errors.
- CVE-2022-26485: Use-after-free in XSLT parameter processing: Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.
Use-after-free errors are used to corrupt valid data and execute arbitrary code on affected systems. The error is related to inappropriate usage of dynamic memory after the program execution. If a program does not free up the memory is used for its execution and does not clear the pointer to that memory, it can be used by an attacker to execute code. In other words, an attacker can hack the program and run code for malicious purposes.
In related news, California-based graphics processor manufacturer Nvidia has confirmed that its networks were hacked. The company witnessed a cyberattack last week where hackers have stolen data from the servers of the company, including sensitive information and employee credentials. Additionally, the hackers have stolen 190GB of Samsung’s data from Nvidia’s servers and leaked it recently.