Mozilla has released a new stable version of the organization’s Firefox web browser on April 3, 2020. Firefox 74.0.1 Stable is a security update that patches two critical security vulnerabilities in the browser that are actively exploited in the wild. Mozilla released an update for the Extended Support Release, Firefox ESR, as well to address the vulnerabilities in that browser. Firefox ESR is upgraded to version 68.6.1 and updates are available already.
Firefox users who run the stable version of the web browser should receive update notifications when they start the browser the next time. The process can be expedited either by downloading the new stable release manually from Mozilla’s official download site or by selecting Menu > Help > About Firefox to run a manual check for updates.
The release notes have been published already; they list security fixes only and no other changes. Mozilla’s Security Advisories site provides additional information on the two vulnerabilities that the organization fixed in the new Firefox release:
- CVE-2020-6819: Use-after-free while running the nsDocShell destructor — Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
- CVE-2020-6820: Use-after-free when handling a ReadableStream — Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw.
It is unclear how these vulnerabilities can be exploited, only that attacks happen right now that exploit them. ReadableStream is used to read data streams, nsDocShell’s issue seems to have been caused by data not being released properly.
Firefox users are encouraged to update the web browser as soon as possible to protect it from these attacks.
One of the researchers who reported the issues to Mozilla revealed on Twitter that the discovered issues might affect other browsers as well. He praised Mozilla for patching the vulnerability quickly. Whether other browsers means other Firefox-based browsers or non-Firefox browsers is unknown.
Now You: Have you updated your browser already?