Firefox 74.0.1 fixes in-the-wild zero-days (CVE-2020-6819/6820)

High-level summary

Mozilla shipped Firefox 74.0.1 and Firefox ESR 68.6.1 on 31 March 2020 to remediate two critical use-after-free vulnerabilities (CVE-2020-6819 and CVE-2020-6820) in the browser's nsDocShell and ReadableStream components. Mozilla confirmed in-the-wild exploitation of both vulnerabilities, requiring immediate deployment across all managed Firefox installations including ESR channels used by enterprise environments.

Critical Vulnerabilities

The emergency release addresses two distinct memory corruption vulnerabilities:

• CVE-2020-6819 (Use-after-free in nsDocShell): A use-after-free vulnerability in nsDocShell could be triggered when processing specific patterns of document navigation. Successful exploitation could allow arbitrary code execution in the browser process context.
• CVE-2020-6820 (Use-after-free in ReadableStream): A use-after-free vulnerability in the ReadableStream class could be triggered during certain conditions related to stream handling. This vulnerability could also enable arbitrary code execution through malicious web content.

Both vulnerabilities received Critical severity ratings from Mozilla due to their potential for complete browser compromise through malicious web pages.

In-The-Wild Exploitation

Mozilla's security advisories specifically noted that both vulnerabilities "have been exploited in the wild," indicating that threat actors were actively using these flaws before patches became available. This designation places the vulnerabilities among the most urgent security issues requiring immediate remediation:

• Targeted attacks: Zero-day browser vulnerabilities are frequently used in targeted attack campaigns against high-value individuals and organizations.
• Watering hole potential: Attackers may compromise legitimate websites to serve exploit code targeting visitors using vulnerable Firefox versions.
• Drive-by downloads: Exploitation could occur simply by visiting a malicious or compromised webpage without additional user interaction.
• Exploit kit integration: Active exploitation increases the likelihood of broader distribution through commercial exploit kits targeting wider populations.

Affected Products

If you are affected, identify and update the following affected Firefox products:

• Firefox Desktop: All versions before 74.0.1 across Windows, macOS, and Linux platforms require updating.
• Firefox ESR: Extended Support Release versions before 68.6.1 are vulnerable. Many enterprise environments rely on ESR for stability and must still apply this security update.
• Firefox for Android: Mobile Firefox users should verify they are running version 68.6.1 or later.
• Thunderbird: Email client releases based on Firefox code received matching security patches in Thunderbird 68.6.1.

Attack Surface Analysis

Understanding how these vulnerabilities might be exploited helps focus on remediation:

• Web browsing risk: Any web browsing activity using vulnerable Firefox versions exposes users to potential exploitation through malicious pages.
• Administrative consoles: Many IT and security tools provide web-based administration interfaces commonly accessed through Firefox.
• Developer workflows: Developers frequently use Firefox for web application testing, potentially exposing development environments.
• Email exploitation: Thunderbird users may face exploitation through HTML email messages containing trigger content.
• Embedded browsers: Applications embedding Firefox rendering components may inherit vulnerability exposure.

Enterprise Deployment Strategy

Your IT team should implement structured remediation for Firefox deployments:

• Automated updates: Verify that Firefox automatic updates are enabled and functioning across unmanaged devices. Firefox should self-update within hours of patch release.
• Managed deployment: For enterprise-managed installations, push Firefox 74.0.1 or ESR 68.6.1 through software distribution tools immediately.
• Update verification: Query endpoint management systems to confirm successful update deployment and identify remaining vulnerable instances.
• Browsing restrictions: Consider temporary web browsing restrictions for systems that cannot be immediately patched, particularly administrative workstations.
• Exploit protection: Enable and monitor Windows Defender Exploit Guard, EMET, or similar exploit mitigation technologies for Firefox processes.

ESR Channel Considerations

Enterprise environments using Firefox ESR face specific considerations:

• Update urgency: ESR users cannot defer this update despite the extended support model's typical emphasis on stability over feature updates.
• Compatibility testing: Internal web applications and extensions validated against ESR should be tested following the emergency update.
• Policy alignment: Group Policy and enterprise configuration settings should permit security updates even when feature updates are restricted.
• Deployment tracking: Monitor ESR-specific update channels and deployment mechanisms for successful remediation.

VDI and Thin Client Updates

Organizations using virtual desktop infrastructure or thin clients must address non-persistent environments:

• Golden image updates: Update master images used for VDI provisioning to include Firefox 74.0.1 or later.
• Persistent profiles: Ensure user profile persistence mechanisms do not preserve vulnerable Firefox versions across session recreation.
• Application publishing: Update published Firefox applications in Citrix, VMware Horizon, or similar environments.
• Refresh cycle coordination: Accelerate scheduled image refresh cycles to deploy the security update more rapidly.

Detection and Monitoring

Your security team should implement monitoring for exploitation attempts:

• Monitor for anomalous Firefox process behavior including unexpected child process spawning or network connections
• Review web proxy logs for traffic to known exploit kit domains or suspicious redirect chains
• Alert on Firefox crashes that might show exploitation attempts
• Implement browser isolation for high-risk browsing activities until fleet-wide patching is confirmed

Closing analysis

The Firefox 74.0.1 emergency release shows the importance of rapid browser patching capabilities and the ongoing risk posed by browser-based attacks. If you are affected, treat in-the-wild exploitation as a maximum urgency indicator requiring immediate deployment regardless of normal change management procedures. The availability of patches for both standard and ESR channels ensures that all Firefox users can achieve protection promptly.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 91/100 · March 30, 2020

FBI FLASH warns of Kwampirs supply-chain intrusions

The FBI issued a FLASH alert about the Kwampirs remote-access Trojan targeting supply-chain and healthcare networks, urging organizations to hunt for indicators, tighten remote access, and segment critical systems.

Cybersecurity · Credibility 86/100 · March 30, 2020

FBI warns of teleconferencing hijacking during COVID-19 shift

The FBI’s 30 March 2020 PSA highlights wave of teleconference hijacking; organizations need enforced meeting controls, user education, and monitoring to stop uninvited participants and limit data leakage.

Cybersecurity · Credibility 73/100 · April 2, 2020

FBI and CISA issue videoconferencing hijacking guidance

A joint FBI and CISA advisory on April 2, 2020 warned organizations to harden videoconferencing settings after hijacking incidents, recommending passwords, waiting rooms, and restricted sharing to protect remote classes…

Cybersecurity · Credibility 91/100 · March 24, 2020

Cybersecurity — Apple

Apple released macOS Catalina 10.15.4 and Security Update 2020-002 for Mojave and High Sierra, patching actively exploited WebKit flaws and other kernel and mail vulnerabilities.

Cybersecurity · Credibility 86/100 · March 23, 2020

Microsoft warns of Type 1 Font parsing zero-day (ADV200006)

Microsoft’s ADV200006 advisory warns of two Type 1 font parsing RCEs (CVE-2020-1020, CVE-2020-0938) exploited in the wild, requiring immediate patching, EMET-style mitigations, and hardened document-handling controls to…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 31, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

Firefox 74.0.1 · CVE-2020-6819 · CVE-2020-6820

Sources cited

3 sources (mozilla.org, iso.org)

Reading time

5 min

Source material

1. Mozilla Foundation Security Advisory 2020-11 — Mozilla
2. Firefox 74.0.1 Release Notes — Mozilla
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization