Urgent Firefox Patch Issued for Zero-Day Under Active Attack

Urgent Firefox Patch Issued for Zero-Day Under Active Attack

New Firefox Vulnerability Exploited in the Wild

This week Mozilla released Firefox v72.0.1, a new version of the web browser that resolves a vulnerability that has been actively exploited in the wild.

Mozilla stated in a security bulletin on Wednesday that it was “aware of targeted attacks in the wild that were abusing the flaw. A successful attack could make it possible for attackers who successfully exploit it to abuse affected systems,” according to Mozilla.

The recent disclosure came just one day after Mozilla released its latest Firefox 72 browser on Tuesday. The recent release introduced new privacy features along with patching 5 high-severity bugs. The latest release for Firefox ESR (Extended Support Release), designed for easy and large-scale deployments, is version 68.4.1 and also included a number of fixes.

How the Firefox Vulnerability Can Affect You

The critical vulnerability (CVE-2019-17026) impacts IonMonkey, which is a JavaScript JIT (Just-in-Time) compiler for SpiderMonkey, the main component at Firefox’s core that handles JavaScript operations (Firefox’s JavaScript engine).

The vulnerability is a type confusion vulnerability: a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can easily exploit. The attack can be leveraged by luring a Firefox user with an outdated browser to other web pages with malicious code.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Firefox developers stated in a security advisory on Wednesday.

More Bugs in the New Mozilla Release

The major release earlier in the week also tackled a number of bugs. One of the flaws (CVE-2019-17015) is described as “memory corruption in parent process during new content process initialization on Windows.” Others include CVE-2019-17017 for a type confusion vulnerability and CVE-2019-17025 for a “memory-safety bug”.

The new 72 release also entails more cross-site tracking protections instead of dealing with notification request popups, floating video windows, and a control to request that Mozilla deletes the telemetry data collected. “Mozilla decided to hide these notifications after finding 97% of users dismissed them,” reported ZDNet. “Instead of intrusive popups, notification requests will appear as a ‘speech bubble’ in the address bar.”

Firefox 72 relies on a blacklist of companies known to conduct browser fingerprinting and that list is managed by Disconnect.

“Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting,” explained Mozilla privacy engineer Steven Englehardt. “This prevents those parties from being able to inspect properties of a user’s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user’s IP address or the user agent header.”

The new version also includes a control to allow users to request Mozilla delete telemetry data as part of its efforts to comply with the California Consumer Privacy Act (CCPA). Mozilla is yet to explain where that control is located in the browser settings, but plans on enabling the feature globally.

Protect Your Environment from Future Zero-Day Vulnerabilities

Syxsense Manage and Syxsense Secure can easily resolve vulnerabilities across your entire environment. Find peace of mind by trusting your Syxsense and set up a free trial today.