Popular Web Browsers Report Bugs That Allow Remote Session Hijacking
Popular web browsers Firefox, Chrome, and Edge are urging users to patch critical vulnerabilities that could allow threat actors to hijack systems, including phones and tablets, that are running the affected software.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, and rated as critical. The vulnerability is classified as a use-after-free bug and tied to the way Firefox handles browser cookies and if exploited allows hackers to gain access to the computer, phone or tablet running the browser software. Impacted are Firefox browser versions released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition and Mozilla’s corporate ESR 78.6.1 version of Firefox.
Also on Thursday, CISA urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software. The CISA-bug warning stated that the update to the latest version of the Chrome browser would “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
Twelve additional bugs were reported by Google, impacting its Chromium browser engine. Both Google and Microsoft featured the same list of vulnerabilities:
- CVE-2021-21106
- CVE-2021-21107
- CVE-2021-21108
- CVE-2021-21109
- CVE-2021-21110
- CVE-2021-21111
- CVE-2021-21112
- CVE-2021-21113
- CVE-2021-21114
- CVE-2021-21115
- CVE-2021-21116
- CVE-2020-16043
Sources:
- Mozilla Foundation Security Advisory 2021-01
- Chromium Security Updates for Microsoft Edge (Chromium-Based)