Chrome & Firefox Critical Vulnerabilities
Google and Mozilla are each urging users to patch serious vulnerabilities in their respective web browsers, Chrome and Firefox, that could be exploited to allow threat actors to take over users’ systems. The security fixes will be rolled out to Windows, Mac, and Linux over the next few days. Successful exploitation of some of these flaws could allow attackers to take control of vulnerable systems
The new stable of chrome brings 16 security fixes; and while the tech giant won’t disclose details for all of them until the majority of its userbase has received the updates, it did highlight patches for 13 vulnerabilities that were reported by external researchers.
Twelve flaws were classified as high-risk, while one was determined to be medium in severity. Most of the high-severity flaws are use-after-free bugs. They could be exploited if a user visited or was redirected to a specially crafted web page in order to achieve remote code execution in the context of the browser.
Google paid more than US$110,000 to the security researchers for discovering and reporting the vulnerabilities.
Mozilla patched a critical-rated security loophole that is traked as CVE-2020-16044 and affects browser versions prior to Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1.
“A malicious peer could have modified a COOKIE-ECHO chunk in an SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,”.
The Stream Control Transmission Protocol (SCTP) is used for transporting multiple streams of data at the same time between two endpoints that are connected to the same network. The flaw in Firefox resides in how the protocol handles cookie data.
CISA urging users and system administrators to update . “Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.”