targets. Companies and institutions are more affected by attackers such as APTs (Advanced persistent threat) backed by governments from around the world.
The two vulnerabilities were rated as critical by Mozilla, and details about how they work are not yet public. They both use-after-free exploits and were already used in the wild, which is why the company is not yet releasing details.
In CVE-2020-6819, under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. And with CVE-2020-6820, when handling a ReadableStream, a race condition can cause a use-after-free as well.
According to the Center for Internet Security (CIS), “the successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
All Firefox versions prior to 74.0.1 and Firefox ESR versions before 68.6.1 are affected, and users are advised to upgrade their Internet browsers are soon as possible. Ideally, Internet browsers should not be used by users
with administrative rights, and people should not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Security researchers Francisco Alonso and Javier Marcos first
reported the two vulnerabilities. Interestingly enough, they also say that new details about the exploits will be published and will involve other browsers as well. This means that, while the problems were initially reported on Firefox, they might be valid on other Internet browsers as well.