CVE-2020-6819, CVE-2020-6820: Critical Mozilla Firefox Zero-Day Vulnerabilities Exploited in the Wild
Researchers report multiple zero-day vulnerabilities in Mozilla Firefox and note that other browsers are also affected.
背景
On April 3, Mozilla Foundation published advisory 2020-11 for Mozilla Firefox and Mozilla Firefox Extended Support Release (ESR). The advisory includes fixes for two critical zero-day vulnerabilities, both of which were exploited in the wild as part of targeted attacks.
The discovery of these vulnerabilities was credited to security researchers Francisco Alonso and Javier Marcos. Alonso tweeted there are “more details to be published (including other browsers),” indicating these flaws likely extend to other web browsers. However, that information is currently not public, likely an effort to keep the details private until patches are available.
There is still lots of work to do and more details to be published (including other browsers). Stay tuned.
— Francisco Alonso (@revskills) April 3, 2020
As we’ve seen time and again, attackers continue to target widely installed applications such as web browsers. These latest vulnerabilities follow on the heels of another zero-day vulnerability in Mozilla Firefox exploited in the wild in January 2020.
分析
CVE-2020-6819 is a use-after-free vulnerability due to a race condition when the nsDocShell destructor is running. Based on the GitHub commit history for the nsDocShell.cpp file, it appears the issue exists due to the mContentViewer not being released properly.
Image source: GitHub of nsDocShell changes made to address CVE-2020-6819
CVE-2020-6820 is a use-after-free vulnerability due to a race condition in the ReadableStream class, which is used to read a stream of data.
Image source: MDN web docs
We anticipate further details about these vulnerabilities will be publicly available once the researchers publish their findings.
概念验证
At the time this blog post was published, there was no proof-of-concept code available for either of these vulnerabilities.
解决方案
Mozilla Foundation released Mozilla Firefox 74.0.1 and Mozilla Firefox ESR 68.6.1 to address these vulnerabilities. While these vulnerabilities were exploited in targeted attacks, Firefox users are still encouraged to upgrade as soon as possible.
识别受影响的系统
用于识别这些漏洞的 Tenable 插件列表在发布时将显示在此处。
获取更多信息
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
获取 30 天免费试用版 Tenable.io Vulnerability Management。
相关文章
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Vulnerability Management