On April 3, 2020, Mozilla announced that it had released security updates in order to patch critical vulnerabilities in found in both Firefox and Firefox Extended Support Release (ESR) by security researchers with JMP Security.
Both vulnerabilities allow for race conditions which can cause a use-after-free issue. The first vulnerability, CVE-2020-6819, allows for a race condition when running the nsDocShell destructor (under certain conditions). The second vulnerability, CVE-2020-6820, allows for a race condition when handling a ReadableStream (under certain conditions).
According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s United States Computer Emergency Readiness Team (US-CERT) program, “an attacker could exploit these vulnerabilities to take control of an affected system.”
“Both bugs…allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1,” a researcher at ThreatPost said.
Mozilla said that they are aware of both vulnerabilities being used in targeted attacks by hackers.
One of the researchers who discovered the vulnerabilities, Francisco Alonso, tweeted that “there is still lots of work to do and more details to be published (including other browsers). Stay tuned.”
It is highly recommended that all Firefox users download and apply the latest patches in order to protect themselves from exploitation of these critical vulnerabilities.
For additional information, please see the following sources:
Mozilla. Mozilla Foundation Security Advisory 2020-11. April 3, 2020. https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Mozilla. Firefox Update. April 3, 200. https://support.mozilla.org/en-US/kb/update-firefox-latest-release
DHS CISA US-CERT. Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR. April 3, 2020. https://www.us-cert.gov/ncas/current-activity/2020/04/03/mozilla-patches-critical-vulnerabilities-firefox-firefox-esr
Tom Spring. Firefox Zero-Day Flaws Exploited in the Wild Get patched. April 4, 2020. https://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/The E-ISAC has not established any specified threat to the electricity community based upon these vulnerabilities. However, as the information above and in the links indicates, the likelihood of adversarial action based upon this vulnerability is high. If this or any other adversarial action is experienced, contact the E-ISAC Watch Operations Team, and create a Portal Post for instant community awareness.
- Advanced Portal Users Group
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DNG-ISAC Portal
- DOE Complex
- E-ISAC Administrators
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Malware Submissions
- Other (inc. local/state commissions)
- Portal Feedback
- ThreatConnect Pilot Program
- Trade Organizations
- Watch Floor