Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks

Mozilla released a security advisory to address a critical zero-day vulnerability -- CVE-2019-17026 -- spotted in Mozilla Firefox. The flaw has been exploited in targeted attacks. Researchers describe CVE-2019-17026 as a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, which is Mozilla's JavaScript engine. According to Mozilla's advisory, the flaw exists in the JIT compiler due to "incorrect alias information for setting array elements," specifically in StoreElementHole and FallibleStoreElement.

Qihoo 360 ATA researchers first reached out to Mozilla in order to report the vulnerability. Mozilla's advisory states they are "aware of targeted attacks in the wild abusing this flaw." It seems like the vulnerability was exploited in the wild as a zero-day. More details about the exploitation are awaited. Last year, Mozilla patched CVE-2019-11707, another type of confusion vulnerability that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.

READ | From Malware distribution to IoT attacks, Top cybersecurity threats to watch out in 2020

To address CVE-2019-17026 vulnerability, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. Since this vulnerability has been exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.

Earlier this week, Mozilla announced the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4. Mozilla also announced that Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting. "This prevents those parties from being able to inspect properties of a user’s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user’s IP address or the user agent header."

READ | Firefox Preview 3.0's new feature sends tabs to other devices, claims better security

Last month, Mozilla announced the rollout of Firefox Preview 3.0. The upcoming, brand new version of the Firefox browser for Android is based on a revised rendering engine. It consists of features like improved tracking protections, in addition to an updated workflow menu as well as the ability to move the navigation bar to the top, among other enhancements. It also claims to provide users with better security.

Picture: Official Mozilla website