Mozilla has rolled out a new version of its Firefox web browser to address a critical zero-day vulnerability that has been abused for targeted attacks.
Details about the flaw and its exploitation are rather sparse, however. What little is known, according to Mozilla’s security advisory released on Wednesday, is that it is a type confusion error that resides in IonMonkey, the just-in-time (JIT) compiler for the browser’s SpiderMonkey JavaScript engine.
A warning from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) notes that the flaw could be exploited to take control of an affected system.
Mozilla said that it is “aware of targeted attacks in the wild abusing this flaw”. The vulnerability is tracked as CVE-2019-17026 and affects both Firefox and Firefox ESR, the latter of which is used by large organizations.
The browser’s new versions – Firefox 72.0.1 and Firefox ESR 68.4.1 – are available for all of its supported desktop platforms: Windows, macOS and Linux. Needless to say, users are advised to waste no time in applying the update. The fixes can be implemented by going to the Firefox menu and clicking on Help and then About Firefox. Per Statcounter, Firefox commands a 9-percent desktop browser market share.
The updates came merely a day after Mozilla shipped out Firefox 72.0 and Firefox ESR 68.4, which themselves included fixes for several security flaws, albeit largely lesser in severity.
Last June, Mozilla patched two zero-days two days apart. Other web browsers, notably Chrome and Internet Explorer, have also received emergency patches for zero-days in recent months.
A few years back, ESET researchers documented how a then zero-day affecting Firefox was being abused by threat actors.