Critical Bugs in Firefox and Chrome Allow Exploitation

 

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) asked clients of Mozilla Foundation's Firefox browser and Windows, macOS, and Linux clients of Google's Chrome browser to fix bugs, traced as CVE-2020-16044 and CVE-2020-15995 respectively. 

The vulnerability of CVE-2020-16044 is classified as a use-after-free bug and attached to the manner in which Firefox handles browser cookies and whenever exploited permits hackers to access the computer, telephone, or tablet running the browser software. Affected are Firefox browser renditions released before the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition, and furthermore Mozilla's corporate ESR 78.6.1 version of Firefox. "A pernicious peer might have altered a COOKIE-ECHO chunk in a SCTP packet in a way that conceivably resulted in a use-after-free. We assume that with enough effort it might have been exploited to run arbitrary code," as indicated by a Mozilla security notice.

SCTP stands for Stream Control Transmission Protocol, utilized in computer networking to communicate protocol data inside the Transport Layer of the internet protocol suite, or TCP/IP. A COOKIE ECHO chunk is a snippet of information sent during the initialization of the SCTP association with the browser.

Google's Chrome browser bug CVE-2020-15995 was affecting the current 87.0.4280.141 rendition of the software. The CISA-bug cautioning expressed that the update to the most recent version of the Chrome browser would "addresses vulnerabilities that an attacker could exploit to take control of a tainted system." Microsoft's most recent Edge browser depends on Google Chromium browser engine, Microsoft additionally encouraged its clients to update to the most recent 87.0.664.75 rendition of its Edge browser.

While researchers at Tenable group called the out-of-bounds bug as critical, both Google and Microsoft characterized the vulnerability as being of high seriousness. Tencent Security Xuanwu Lab scientist Bohan Liu is credited for finding and detailing the bug. The CVE-2020-15995 is distinguished as an "out of bounds written in V8", a bug initially found in September 2020 by Liu. V8 is Google's open-source and high-performance JavaScript and WebAssembly engine, as indicated by a Google developer description. Neither Microsoft nor Google clarified why the September 2020 CVE-2020-15995 is being highlighted again in both their security bulletins. Typically, that means that the first fix was incomplete.