Successful exploitation of some of these flaws could allow attackers to take control of vulnerable systems.
Google and Mozilla fix serious vulnerabilities in their respective web browsers, Chrome and Firefox, which could be exploited to allow attackers to take control of users’ systems. Security patches will be rolled out to Windows, Mac, and Linux over the coming weeks. It is important to note that none of the flaws have been detected as being exploited to date.
The new stable version of Chrome, 87.0.4280.141, provides 16 security fixes; and while the tech giant won’t release details of all of these fixes until the majority of its user base has received the updates, it highlighted fixes for 13 vulnerabilities that were reported by outside researchers.
Twelve flaws were rated as high risk, while one was determined to be medium severity. Most of the high severity vulnerabilities are “use-after-free” bugs, that is, memory corruption vulnerabilities residing in various components of Chromium. They could be exploited if a user went to or was redirected to a web page specifically designed to allow remote code execution in the context of the browser, the Center for Internet Security noted.
Google paid security researchers over US $ 110,000 for discovering and reporting the vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory urging users and system administrators to update the browser: “Google released version 87.0.4280.141 of Chrome for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. “
Meanwhile, Mozilla has released a security update to address a security vulnerability deemed critical that is tracked as CVE-2020-16044 and affects browser versions prior to Firefox 84.0.2, Firefox for Android 84.1.3 , and Firefox ESR 78.6.1.
“A malicious actor could have modified a piece of COOKIE-ECHO in an SCTP package in a way that could have resulted in free use. We assume that with enough effort, it could have been exploited to execute an arbitrary code, ”Mozilla says in its description of the attack vector.
The SCTP protocol (Stream Control Transmission Protocol) is used to transport several data streams at the same time between two machines connected to the same network. The flaw in Firefox lies in the way the protocol handles cookie data.
The CISA has also taken note of this vulnerability and issued a notice urging users and administrators to update their software to protect their systems against possible attacks.
You are indeed strongly encouraged to update browsers to their respective latest versions as soon as possible. If you’ve turned on automatic updates, your browsers should update themselves.