Critical Firefox 0-Day Under Active Attacks

Posted by & filed under Security Alerts.

If you are using Firefox as your web browsing software on your Windows, Linux, or Mac systems you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla’s website.

Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild.

Tracked as ‘CVE-2019-17026,’ the bug is a critical ‘type confusion vulnerability’ that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla’s JavaScript engine SpiderMonkey.

In general, a type confusion vulnerability occurs when the code doesn’t verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution.

Without revealing details about the security flaw and any details on the ongoing potential cyberattacks, Mozilla said, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to type confusion.”

That means, the issue in the vulnerable JavaScript engine component can be exploited by a remote attacker just by tricking an unsuspecting user into visiting a maliciously crafted web page to execute arbitrary code on the system within the context of the application.

The vulnerability was reported to Mozilla by cybersecurity researchers at Qihoo 360 ATA, who has also not yet released any information about their investigation, findings, and exploit.

Though Firefox, by default, automatically installs updates when they are available and activate a new version after a restart, you can always do a manual update using the built-in functionality by navigating to Menu > Help > About Mozilla Firefox.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.