On Saturday 2022-03-05, Mozilla published Firefox 97.0.2, an “out-of-band” update that closed two bugs officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because they’re considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As we’ve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
Just how urgent Mozilla considered this update can be inferred from the fact that it came out just three days before the next scheduled “in band” update was due anyway.
Indeed, by the time you read this, you may find you’re already on, or being offered, Firefox 98.0, which officially comes out on Tuesday 2022-03-08.
(In-band updates to Firefox are conventionally scheduled to arrive on every fourth Tuesday, rather than on the second Tuesday of each month, like Microsoft’s and Adobe’s Patch Tuesday updates. Every few months, Patch Tuesday and Firefox Tuesday coincide, as they do in March 2022,)