Mozilla just released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 with the security fixes. The bugs are also fixed in Thunderbird 91.6.2. Both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws. CVE-2022-26486 could also lead to an exploitable sandbox escape, according to Mozilla. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) “Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw,” Mozilla explains. “An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.” WebGPU is a browser specification for various interfaces that allow a web page to use a system’s GPU for improved graphics. Mozilla hasn’t released further details, but credits the bug reports to researchers at Chinese security firm Qihoo 360 ATA, Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang. While Firefox user numbers are declining, Mozilla performed fairly well in Google Project Zero’s analysis of how quickly software vendors fixed bugs. Mozilla patched nine of the 10 bugs affecting its software within 90 days of the initial report. It also took an average 46 days to fix bugs compared to 44 days for Google, 69 days for Apple, and 83 days for Microsoft. Looking at browsers, Chrome was the fastest and with 40 fixed bugs it had an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch, while Firefox had eight bugs and a 16.6-day average time to fix.