March 9 — In a recent announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) ordered American federal civilian agencies to patch two critical Firefox security vulnerabilities within the next 14 days.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actions of all types and pose significant risk to the federal enterprise,” stated CISA. While the new mandate only applies to federal agencies, CISA urges both public and private sector organizations to mitigate these security issues.

How hackers can exploit the bugs

The bugs are rated as critical severity, as they can enable attackers to execute nearly any command on systems that are operating with vulnerable Firefox versions.

The bugs are tracked as CVE-2022-26485 and CVE-2002-26486, respectively. They’re known as “Use After Free” flaws that enable attackers to catalyze computer crashes and to inject malicious code onto targeted devices. Once devices have been breached, certain malware can also give hackers in-depth access to device data.

Bug catalogue updates

Last week, CISA added 95 vulnerabilities to its list of bugs that organizations may wish to quickly patch. Eight of those listed have high critical severity scores of at least 9.8.

For more information about building cyber security resilience, see CyberTalk.org’s past coverage.