Urgent Firefox Patch Issued for Zero-Day Under Active Attack
Mozilla is rushing out an urgent Firefox update for a new version of the browser to fix a critical zero-day flaw that is being actively exploited in the wild.
New Firefox Vulnerability Exploited in the Wild
This week Mozilla released Firefox v72.0.1, a new version of the web browser that resolves a vulnerability that has been actively exploited in the wild.
Mozilla stated in a security bulletin on Wednesday that it was “aware of targeted attacks in the wild that were abusing the flaw. A successful attack could make it possible for attackers who successfully exploit it to abuse affected systems,” according to Mozilla.
The recent disclosure came just one day after Mozilla released its latest Firefox 72 browser on Tuesday. The recent release introduced new privacy features along with patching 5 high-severity bugs. The latest release for Firefox ESR (Extended Support Release), designed for easy and large-scale deployments, is version 68.4.1 and also included a number of fixes.
How the Firefox Vulnerability Can Affect You
The vulnerability is a type confusion vulnerability: a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can easily exploit. The attack can be leveraged by luring a Firefox user with an outdated browser to other web pages with malicious code.
“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Firefox developers stated in a security advisory on Wednesday.
More Bugs in the New Mozilla Release
The major release earlier in the week also tackled a number of bugs. One of the flaws (CVE-2019-17015) is described as “memory corruption in parent process during new content process initialization on Windows.” Others include CVE-2019-17017 for a type confusion vulnerability and CVE-2019-17025 for a “memory-safety bug”.
The new 72 release also entails more cross-site tracking protections instead of dealing with notification request popups, floating video windows, and a control to request that Mozilla deletes the telemetry data collected. “Mozilla decided to hide these notifications after finding 97% of users dismissed them,” reported ZDNet. “Instead of intrusive popups, notification requests will appear as a ‘speech bubble’ in the address bar.”
Firefox 72 relies on a blacklist of companies known to conduct browser fingerprinting and that list is managed by Disconnect.
The new version also includes a control to allow users to request Mozilla delete telemetry data as part of its efforts to comply with the California Consumer Privacy Act (CCPA). Mozilla is yet to explain where that control is located in the browser settings, but plans on enabling the feature globally.