If you are using Firefox as your web browsing software on your Windows, Linux, or Mac systems you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla’s website.

Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild.

Tracked as ‘CVE-2019-17026,’ the bug is a critical ‘type confusion vulnerability’ that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla’s JavaScript engine SpiderMonkey.

In general, a type confusion vulnerability occurs when the code doesn’t verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution.

Read more »

Smart home tech maker Wyze Labs confirmed that the user data of over 2.4 million of its users were exposed by an unsecured database connected to an Elasticsearch cluster for over three weeks, from December 4 to December 26.

The company discovered the incident after receiving an inquiry from an IPVM reporter via a “support ticket at 9:21 a.m. on December 26,” immediately followed by IPVM publishing a piece “at 9:35 a.m” covering the exposed database discovered by security consulting firm Twelve Security.

However, as Dongsheng Song, Wyze’s Co-Founder and Chief Product Officer said in a blog post, some of the reported information wasn’t accurate.

“We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing,” he said in response to Twelve Security’s disclosure and IPVM’s story. “We did not have a similar breach 6 months ago.”

Read more »