Users should patch several new browser vulnerabilities affecting Chrome, Firefox, and Edge.
The vulnerabilities are rated critical and could allow attackers to hijack susceptible systems.
It should be noted that the Firefox flaw identified as CVE-2020-16044 is separate from the vulnerability discovered in Chromium. Chromium is the browser engine for both Google Chrome and Microsoft Edge.
Firefox Vulnerability CVE-2020-16044
According to Mozilla’s advisory, “a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code.”
In other words, the vulnerability is a use-after-free issue, stemming from the way the Firefox browser handles browser cookies. Upon exploitation, the bug could allow attackers to access the user’s device (computer, tablet, or phone). The vulnerability has been fixed in the desktop Firefox version 84.0.2, Firefox Android 84.1.3, and the corporate ESR 78.6.1 version.
The company hasn’t specified who discovered the vulnerability nor if it is actively exploited in the wild. Nonetheless, users should make sure that their browsers are running a patched version to avoid any issues.
Chrome and Edge Vulnerability CVE-2020-15995
This Chromium bug is described as an “out of bounds write in V8 in Google Chrome prior to 86.0.4240.99”. The bug could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Windows, macOS, and Linux users of Chrome should patch the vulnerability residing in the 87.0.4280.141 version of the browser. Tenable researchers rated the flaw as critical. However, Google and Microsoft said the bug is of high severity.
CVE-2020-15995 was discovered and reported by Tencent Security Xuanwu Lab researcher Bohan Liu.
It is noteworthy that CVE-2020-15995 is associated with a Chrome for Android update security bulletin Google published in October last year when it was rated a high-severity issue.
Initially, the vulnerability was disclosed in September 2020 by the same Tencent researcher.
This is not the only vulnerability endangering the Chromium engine in Chrome and Edge. Google disclosed 12 more flaws, and Microsoft also featured them in its security bulletin. This is the list of vulnerabilities:
CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116, CVE-2020-16043.
In December 2020, Mozilla and Google addressed another critical vulnerability lurking in their browsers.