The vulnerabilities are rated critical as they allow remote code execution, and it appears that they were actively exploited in the wild in targeted attacks, as per the official Mozilla Foundation security advisory.
This vulnerability has been fixed in Firefox 74.0.1 and Firefox ESR 68.6.1. Its impact is critical. There haven’t been any specifications about the nature of the vulnerability in Mozilla’s advisory, and MITRE’s advisory is yet to be updated.
This vulnerability has been described as a “use-after-free” issue when handling a ReadableStream. The bug was reported by security researchers Francisco Alonso and Javier Marcos.
“Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw,” Mozilla’s advisory explains.
Both vulnerabilities are critical, and enable remote code execution attacks. If exploited, the bugs could trigger crashes on vulnerable machines running Firefox prior to version 74.0.1 or its business-oriented Firefox Extended Support Release 68.6.1. Firefox on Windows, macOS, and Linux is vulnerable. There are close to no details about how these vulnerabilities are being used in attacks in the wild.
What is known is that the worst-case scenario involves an attack where arbitrary code execution is allowed. According to the Center for Internet Security (CIS), depending on the privileges of the user, a threat actor could install programs, view, change or delete data, or create new accounts with full user rights. Users with fewer user rights on the particular system could be less impacted than those with admin rights.
Patches are already available for the following versions of Firefox: Firefox 74.0.1 for Windows 64-bit, Firefox 74.0.1 for Windows 32-bit, Firefox 74.0.1 for macOS, Firefox 74.0.1 for Linux 64-bit and Firefox 74.0.1 for Linux 32-bit.