Mozilla has rolled out a new version of its Firefox
web browser to address a critical zero-day vulnerability that has been abused for targeted attacks.
Details about the flaw and its exploitation are
rather sparse, however. What little is known, according to Mozilla’s security advisory released on Wednesday, is that it is a type confusion error that resides in IonMonkey, the just-in-time (JIT) compiler
for the browser’s SpiderMonkey JavaScript engine.
A warning from the United States’ Cybersecurity and
Infrastructure Security Agency (CISA) notes that the flaw could be exploited to
take control of an affected system.
Mozilla said that it is “aware of targeted attacks
in the wild abusing this flaw”. The vulnerability is tracked as CVE-2019-17026 and affects both Firefox and Firefox ESR, the
latter of which is used by large organizations.
The browser’s new versions – Firefox 72.0.1 and
Firefox ESR 68.4.1 – are available for all of its supported desktop platforms:
Windows, macOS and Linux. Needless to say, users are recommended to waste no
time in applying the update. The fixes can be implemented by going to the
Firefox menu and clicking on Help and then About
Firefox. Per Statcounter, Firefox commands a 9-percent desktop browser market share.
The updates came merely a day after Mozilla shipped
out Firefox 72.0 and Firefox ESR 68.4, which themselves included fixes for several
security flaws, albeit largely lesser in severity.
Last June, Mozilla patched two zero-days two days apart. Other web browsers,
notably Chrome and Internet Explorer, have also received emergency patches for
zero-days in recent months.
A few years back, ESET researchers documented how a then zero-day affecting Firefox was
being abused by threat actors.