Security teams from Mozilla and Google have announced the launching of various patches to fix some critical vulnerabilities in their respective web browsers. Reports mention that, if exploited, these flaws would allow threat actors to take full control of compromised systems.
Apparently none of the flaws have been exploited in the wild, although it is best for users to install the updates as soon as possible. Updates should be installed on Windows, Linux, and Mac systems with no exception.
Over 15 Chrome vulnerabilities
Google released Chrome version 87.0.4280.141, which includes 16 security patches. The company’s security report does not include further details about the addressed flaws, as they prefer to wait for most users to update their browser before disclosing technical details; at least 13 of these flaws were reported by external investigators.
Twelve of these flaws are considered critical, while the rest received low scores. Most of these are use-after-free flaws or, in other words, memory corruption vulnerabilities that reside in Chromium. These flaws could be exploited if users visit websites specially designed to trigger remote code execution in the context of the vulnerable browser.
Google paid more than $110,000 USD in rewards to security researchers who reported these flaws.
Multiple Firefox vulnerable versions
On the other hand, Mozilla’s update addresses a severe security flaw (tracked as CVE-2020-16044) present in all versions of Firefox earlier than 84.02, Firefox for Android 84.1.3, and Firefox ESR 78.6.1. According to the company, a malicious peer could have modified a COOKIE-ECHO fragment in a Stream Control Transmission Protocol (SCTP) package to lead to the risk scenario: “A threat actor might find a way to execute arbitrary code on a vulnerable system,” Mozilla adds.
It should be noted that SCTP is used to transport multiple data streams at the same time between two endpoints connected to the same network. The vulnerability exists due to the way the protocol handles cookie data.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice for each update package, asking vulnerable system administrators to update as soon as possible, as there are no known workarounds.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.