Mozilla Releases Security Updates for Firefox
Mozilla has released a security advisory about two security vulnerabilities fixed in Firefox 75 and Firefox ESR 68.7 running on the Windows, macOS and Linux operating system.
Two use-after-free security vulnerabilities (CVE-2020-6819 and CVE-2020-6820) have been found affecting Firefox and Firefox ESR. Both of these vulnerabilities have been seen currently being exploited in the wild.
The first vulnerability CVE-2020-6819 is caused by the running of nsDocShell destructor in which under certain circumstances a race condition can occur causing a use-after-free. The second vulnerability CVE-2020-6820 occurs when handling a ReadableStream in which under certain circumstances a race condition can occur causing a use-after-free.
If an attacker is able to successfully exploit any of these vulnerabilities, it could allow them to perform an arbitrary code execution. And depending on the privileges associated with the account, an attacker could install software; view, change, or delete data; or even create new user accounts. Accounts that are configured with fewer privileges could be less impacted than those with administrative privileges.
It is strongly recommended to update to Firefox version 75 and Firefox ESR version 68.7 or newer.
Zoom Recordings Exposed on the Open Web
Thousands of Zoom recordings have been found exposed on the open Web, highlighting yet another privacy and possible security risk as people move their personal interactions to video calls due to social distancing. These open recordings can, and have, exposed a significant amount of personal and private information, as uncovered by The Washington Post.
These openly accessible Zoom recordings are not the because of Zoom's servers, or servers it controls, exposing the recordings, but rather recordings that people recorded locally then uploaded to an unsecure and open cloud storage. These recordings can be easily found due to the fact that Zoom meeting recordings are named in “an identical way”. Allowing for thousands of these recoding to be found through the use of special search engines that can look through cloud storage. So far The Washington Post has not revealed the naming convention used by the Zoom recordings and alerted Zoom before the story was published.
Zoom Recordings can contain personal and private information. If a hacker gains access to user recordings they could gather PII or other private data.
In a Zoom statement they said they offer "a safe and secure way for hosts to store recordings” and provided guidelines for how users can improve their Zoom's call security. “Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud. Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.” Users who intend to store recordings in the cloud should make sure that the recording is stored in a secure place to prevent unauthorized individuals from accessing and viewing them.