Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks

Updates released by Mozilla on Wednesday for its Firefox browser address a zero-day vulnerability that has been exploited in targeted attacks.

Updates released by Mozilla on Wednesday for its Firefox browser address a zero-day vulnerability that has been exploited in targeted attacks.

The vulnerability, tracked as CVE-2019-17026 and classified as having critical impact, has been described by Mozilla as an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement.” IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Mozilla explained in its advisory.

Mozilla says it’s aware of targeted attacks exploiting this zero-day, but no other information has been made available.

A Current Activity bulletin released by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) says the vulnerability could allow an attacker to take control of an affected system.

The flaw has been patched with the release of Firefox 72.0.1 and Firefox ESR 68.4.1, and users have been advised to update their installations.

Advertisement. Scroll to continue reading.

Mozilla has credited Chinese cybersecurity company Qihoo 360 for informing it about the vulnerability. ZDNet reported that Qihoo 360 posted a tweet saying that the Firefox zero-day had been exploited alongside an Internet Explorer zero-day, but the tweet has been deleted and there is no word from Microsoft regarding an Internet Explorer zero-day.

Mozilla last year patched two Firefox zero-day vulnerabilities that had been exploited to deliver Mac malware to cryptocurrency exchanges.

The organization this week released Firefox 72, which improves privacy by allowing users to delete telemetry data and by blocking fingerprinting scripts by default. Firefox 72 also patches nearly a dozen vulnerabilities, including 5 rated high severity. 

Related: Tech Support Scammers Exploiting Unpatched Firefox Bug

Related: Mac Malware Delivered via Firefox Exploits Analyzed

Related: Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.