Multiple Vulnerabilities (CVE-2022-26485 and CVE-2022-26486) Exist in Mozilla Firefox, Firefox ESR, Firefox for Android, Focus and Thunderbird Could Allow for Arbitrary Code Execution

SECURITY ALERTS

Multiple Vulnerabilities (CVE-2022-26485 and CVE-2022-26486) Exist in Mozilla Firefox, Firefox ESR, Firefox for Android, Focus and Thunderbird Could Allow for Arbitrary Code Execution

DESCRIPTION:
Multiple vulnerabilities (CVE-2022-26485 and CVE-2022-26486) exist in Mozilla Firefox, Firefox ESR, Firefox for Android, Focus and Thunderbird. One vulnerability is due to remove the value XSLT, which may cause Use-After-Free vulnerability. Another vulnerability is an unexpected value, which may cause sandbox escape vulnerability in WebGPU IPC framework. Combine two vulnerabilities may allow an attacker to execute arbitrary code on the system, and Mozilla indicates that finding some programs which use vulnerabilities to attack.

AFFECTED RELEASES:
Firefox versions prior to 97.0.2
Firefox ESR versions prior to 91.6.1
Firefox for Android versions prior to 97.3
Firefox Focus prior to 97.3
Mozilla Thunderbird versions prior to 91.6.2

SOLUTION:
1. Check Firefox and Firefox ESR’s version and update to at least version by following steps:
(1) Open browser, click the "Firefox Menu button," click "Help" and then select "About Firefox." Firefox will begin checking for updates and downloading them automatically.
(2) When the download is complete, click the "Restart" option to restart Firefox and complete the update.
2. Check Firefox for Android’s version and update to at least version by following steps:
(1) Open browser, click the "Firefox Menu button," click "Setting" and then select "About Firefox", and the version number will show below the text mark of Firefox Browser.
(2) Open Google Play and check if it has available update, if it has, click ”Update” to update.
3. Check Firefox Focus’s version and update to at least version by following steps:
(1) Open browser, click the "Firefox Menu button," click "Setting", "Mozilla" and then select "About Firefox Focus", and the version number will show below the text mark of Firefox Focus.
(2) Open Google Play and check if it has available update, if it has, click ”Update” to update.
4. Check Thunderbird’s version and update to at least version by following steps:
(1) Open Thunderbird, click "Help" and then select "About Mozilla Thunderbird". Thunderbird will begin checking for updates and downloading them automatically.
(2) When the download is complete, click the "Restart Thunderbird" option to restart Thunderbird and complete the update.
5. Keep good usage habits, and do not click unknown link.

REFERENCE:
1. https://www.ithome.com.tw/news/149738
2. https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
3. https://support.mozilla.org/zh-TW/kb/update-latest-version-firefox-android
4. https://support.mozilla.org/en-US/kb/updating-thunderbird