Update Firefox for multiple vulnerabilities
This information was sent via email to U-M IT groups on April 6, 2020. It is intended for U-M IT staff who are responsible for university devices running Mozilla Firefox or Firefox Extended Support Release (ESR). It is also applicable to individuals who have Firefox installed on their own devices.
Summary
Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR). The most severe of which could allow for arbitrary code execution. Firefox is a web browser provided by Mozilla. Firefox ESR is the version of Firefox used for centrally managed computers, such as those managed by MiWorkspace. Update Firefox and Firefox ESR as soon as possible after appropriate testing to address the vulnerabilities.
Problem
Successful exploitation of the most severe of the vulnerabilities could allow for arbitrary code execution. Remote unauthenticated attackers could trick potential victims into visiting a malicious website to trigger these two vulnerabilities and then execute arbitrary code on devices running unpatched versions of Firefox.
Threats
Mozilla reports that two of the newly identified vulnerabilities are being exploited by targeted attacks in the wild.
Affected Versions
- Firefox versions prior to 74.0.1
- Firefox ESR versions prior to 68.6.1
Action Items
Update Firefox.
- If you manage university computers, update them to the latest version of Firefox or Firefox ESR as soon as possible after appropriate testing. The need for immediate action requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21).
- The update is available now for MiWorkspace computers:
- If Firefox is not currently open on your MiWorkspace computer, it will update automatically when you open it.
- If you have Firefox open, quit or exit, then reopen it to install the update.
- If you do not open Firefox, the update will install through the Software Center for Windows or the Managed Software Center for Macs. See MiWorkspace: Manage Software & Security Updates for details.
- Update to the latest version of Firefox on your own devices as soon as possible. It is best to set Firefox to update automatically. You will need to restart Firefox to apply the update.
Technical Details
- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. (CVE-2020-6819)
- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. (CVE-2020-6820)
How We Protect U-M
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- ITS IA provides vulnerability management guidance to the university.
Information for Users
- Update to the latest version of Firefox on your own devices as soon as possible. It is best to set Firefox to update automatically. You will need to restart Firefox to apply the update.
- The update is available now for MiWorkspace computers:
- If Firefox is not currently open on your MiWorkspace computer, it will update automatically when you open it.
- If you have Firefox open, quit or exit, then reopen it to install the update.
- If you do not open Firefox, the update will install through the Software Center for Windows or the Managed Software Center for Macs. See MiWorkspace: Manage Software & Security Updates for details.
References
- Two critical Firefox vulnerabilities exploited by attackers, patch now! (HelpNetSecurity, 4/6/20)
- Firefox Zero-Day Flaws Exploited in the Wild Get Patched (Threat Post, 4/4/20)
- Mozilla Foundation Security Advisory 2020-11: Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1 (Mozilla, 4/3/20)
- Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR (Cybersecurity and Infrastructure Security Agency (CISA), 4/3/20)
- Mozilla Patches Two Actively Exploited Firefox Zero-Days (Bleeping Computer, 4/3/20)
- CVE-2020-6819
- CVE-2020-6820