Skip to content

CISA orders Firefox patch; adds 11 vulnerabilities to its catalogue

  • by
  • 2 min read

The Cybersecurity and Infrastructure Agency (CISA) has ordered all federal civilian agencies to patch two critical Firefox vulnerabilities tracked as CVE-2022-26485 and CVE-2022-26486 by March 21. The bugs are rated critical as they can let attackers execute almost any command on systems running the vulnerable version of the browser. 

The two bugs are Use After Free flaws allowing attackers to trigger system crashes and execute malicious code on the target device, including downloading malware that could give them further access. Mozilla has reported that exploits are using the vulnerability potentially for remote code execution and getting out of the browser sandbox. 

Additionally, the CISA has added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalogue based on evidence of being exploited by threat actors. Even though the order only applies to federal civilian agencies, the CISA has urged the public and private sector organisations to get their systems patched. 

In the News: Ransomware gang breaches 52 critical organisations; FBI issues warning

Hunting the bugs down

The vulnerabilities in Firefox were discovered and reported to Mozilla by a Chinese cybersecurity company called Qihoo 360 ATA. Following the disclosure, Mozilla released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix both the bugs. 

As mentioned above, both vulnerabilities are Use After Free in nature. This happens when a program tries to access or use memory that has already been cleaned. Exploiting this vulnerability can cause programs to crash while allowing commands to be executed simultaneously without permission. The actual method of attack hasn’t been disclosed at the moment. 

A VMware vCenter server vulnerability needs to be fixed on the same deadline. A total of 11 vulnerabilities were added to the catalogue, including those mentioned above.

CVE CodeVulnerabilityDue Date
CVE-2022-26486Mozilla Firefox Use-After-Free Vulnerability21/03/22
CVE-2022-26485Mozilla Firefox Use-After-Free Vulnerability21/03/22
CVE-2022-26485VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF)21/03/22
CVE-2020-8218Pulse Connect Secure Code Injection Vulnerability07/09/22
CVE-2019-11581Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability07/09/22
CVE-2017-6077NETGEAR DGN2200 Remote Code Execution Vulnerability07/09/22
CVE-2016-6277NETGEAR Multiple Routers Remote Code Execution Vulnerability07/09/22
CVE-2013-0631Adobe ColdFusion Information Disclosure Vulnerability07/09/22
CVE-2013-0629Adobe ColdFusion Directory Traversal Vulnerability07/09/22
CVE-2013-0625Adobe ColdFusion Authentication Bypass Vulnerability07/09/22
CVE-2009-3960Adobe BlazeDS Information Disclosure Vulnerability07/09/22

In the News: DirtyPipe gives root access to attackers on Linux distros; patch released

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>