Mozilla releases patch for a severe vulnerability in Firefox that's being actively exploited


TS Addict
Staff member

If you're using Firefox as your go-to web browser, you might want to update it as soon as possible. Earlier today, Mozilla rushed out version 72.0.1 (and ESR 68.4.1) to fix a vulnerability that is actively being exploited in the wild to take complete control of machines running the vulnerable bits of the popular open source browser.

If you need another reason to be worried about using an unpatched version, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory explaining that there is sufficient evidence that hackers are taking advantage of this zero-day flaw.

Mozilla says the vulnerability was uncovered and reported by researchers at China-based Qihoo 360. Apparently, a bug indexed as CVE-2019-17026 is a "type confusion" vulnerability that affects the IonMonkey just-in-time compiler that's an essential part of Mozilla's SpiderMonkey JavaScript engine.

In simple terms, it's a memory bug where a program allocates resources as one type but later accesses those resources as a different type. This allows attackers to access data stored in other memory locations that are normally off-limits, and execute code on a vulnerable system through specially crafted web pages.

The flaw has been fixed in Firefox 72.0.1, just 24 hours after version 72 was released with fixes for 11 other vulnerabilities. Last year, two serious zero-day flaws allowed attackers to slip a largely undetected backdoor on Macs used by operators of cryptocurrency exchange Coinbase.

Permalink to story.



Security of obscurity
It's "Security by Obscurity".

Also, edge and IE and not obscure targets for hackers, scam artists, ect. They are likely high value as they are mostly used by old folk, casuals, ect. The type of people that typically use those browsers are far more likely to fall victim to a fake download button or phishing attempt. Make that double given that plugin support is very poor, which simply means that ads and Javascript blocking apps aren't updated (if they exist at all) and provide additional attack vectors.


TS Booster
Ok, I guess I’ll stick to Microsoft Edge
Perhaps you missed the part where it's fixed? Just update. And for the record, this is one of the VERY few critical vulnerabilities found in FireFox. Edge has had dozens in the last two years.
  • Like
Reactions: CharmsD