Google and Mozilla are each urging users to patch serious vulnerabilities in their respective web browsers, Chrome and Firefox, that could be exploited to allow threat actors to take over users’ systems. The security fixes will be rolled out to Windows, Mac, and Linux over the next few days. Importantly, none of the flaws has been spotted as being abused in the wild.
The new stable release of Chrome, 87.0.4280.141, brings 16 security fixes; and while the tech giant won’t disclose details for all of them until the majority of its userbase has received the updates, it did highlight patches for 13 vulnerabilities that were reported by external researchers.
Twelve flaws were classified as high-risk, while one was determined to be medium in severity. Most of the high-severity flaws are use-after-free bugs, i.e. memory corruption flaws, residing in various Chromium components. They could be exploited if a user visited or was redirected to a specially crafted web page in order to achieve remote code execution in the context of the browser, noted the Center for Internet Security.
Google paid more than US$110,000 to the security researchers for discovering and reporting the vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory urging users and system administrators to update the browser: “Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Meanwhile, Mozilla released a security update to address a critical-rated security loophole that is tracked as CVE-2020-16044 and affects browser versions prior to Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1.
“A malicious peer could have modified a COOKIE-ECHO chunk in an SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” said Mozilla describing the attack vector.
The Stream Control Transmission Protocol (SCTP) is used for transporting multiple streams of data at the same time between two endpoints that are connected to the same network. The flaw in Firefox has to do with how the protocol handles cookie data.
CISA took note of this vulnerability as well and issued an advisory urging both users and administrators to update their software to protect their systems from potential attacks.
You are indeed strongly encourage to update the browsers to their respective latest versions as soon as practicable. You can download the latest version of Chrome here and Firefox here. If you have automatic updates enabled, your browsers should update by themselves.