
Mozilla has published Firefox 97.0.2, an out-of-band update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so called zero-day bugs.
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
CVE-2022-26485. Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
CVE-2022-26486, Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for what’s known as a sandbox escape. This sort of security hole can typically be abused on its own, or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to it, but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on resulting to a program crash leading to remote code execution, where the data that’s trampled on is wilfully modified by the attackers to trick the program into running untrusted code from outside.