Mozilla patches Firefox zero-day as attackers exploit flaw

Firefox logo
Image: Mozilla

Release of Firefox 72.0.1 came one day after the newest version of the browser rolled out

Print

PrintPrint
Life

Read More:

10 January 2020 | 0

Just one day after releasing Firefox 72, Mozilla updated the browser with a fix to shut down active attacks, the company acknowledged.

On Wednesday, Mozilla issued Firefox 72.0.1, which included one change: A patch for the vulnerability identified as CVE-2019-17026. “We are aware of targeted attacks in the wild abusing this flaw,” Mozilla said in the short description of the flaw, signalling that criminals were already leveraging the zero-day vulnerability, the term applied because there no time elapses between patching and exploitation.

Mozilla credited Qihoo 360, a Chinese developer of anti-virus and other security software, for reporting the bug. Qihoo also created and manages the 360 Secure Browser, which relies on Google’s rendering and JavaScript engines, as does Chrome and Microsoft Edge.

 

advertisement



 

The Firefox flaw was characterised as a type confusion bug in the IonMonkey JavaScript JIT (Just-in-Time) compiler of SpiderMonkey, the browser’s JavaScript engine.

Mozilla rated the vulnerability as ‘critical’, the most serious rating in its multi-step ranking system. To manually update the browser, users can select Help > About Firefox on Windows or Firefox > About Firefox on macOS. The resulting page shows that the browser is either up to date or describes the refresh process.

Wednesday’s update was the first aimed at a zero-day vulnerability in Firefox since June, when Mozilla patched another critical type confusion flaw.

IDG News Service

Read More:



Comments are closed.

Back to Top ↑