Firefox 74.0.1 fixes in-the-wild zero-days (CVE-2020-6819/6820)

Executive briefing: Mozilla shipped Firefox 74.0.1 and Firefox ESR 68.6.1 to remediate two critical use-after-free flaws (CVE-2020-6819 and CVE-2020-6820) in the browser’s impact and XSLT components. Mozilla reported in-the-wild exploitation and recommended immediate deployment. The updates arrived weeks after Firefox 74 and were released alongside matching Thunderbird patches.

Why it matters

• Both vulnerabilities enable arbitrary code execution via crafted web content and were actively exploited prior to disclosure.
• Firefox is commonly used for web-based admin consoles and developer workflows; unpatched browsers widen phishing and drive-by attack risk.
• ESR users also require updates, preventing organizations from relying on extended support channels to defer deployment.

Operator actions

• Deploy Firefox 74.0.1 (or later) and ESR 68.6.1 through endpoint management tools; confirm automatic updates are enabled for unmanaged devices.
• Reinforce browsing restrictions for admin workstations until fleet compliance is verified and review exploit protection telemetry for Firefox processes.
• Update thin clients and VDI images that bundle Firefox to avoid reintroducing vulnerable versions during refresh cycles.

Key sources

• Mozilla Security Advisory 2020-11 discloses CVE-2020-6819 and CVE-2020-6820 with notes on observed exploitation and fixed versions.
• Firefox 74.0.1 release notes summarize the emergency security update and affected channels.