Mozilla has recently released the Firefox 72 browser with numerous security updates. Other than better privacy features, Mozilla also patched multiple security bugs with the browser version. However, it seems they missed something for which they had to release another version. Now, Firefox 72.0.1 is also out with a patch for a zero-day flaw.
Zero-Day Firefox Vulnerability Under Active Exploit
Researchers from the Chinese cybersecurity firm Qihoo 360 discovered a zero-day vulnerability in the Firefox browser. The bug, upon exploit, could allow an attacker to execute code on the target device.
As described in Mozilla’s advisory, there existed a type confusion vulnerability in the browser. Regarding the flaw CVE-2019-17026, Mozilla stated,
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
What’s more troublesome with the zero-day was that it was already under active exploitation. Mozilla also confirmed in their advisory,
We are aware of targeted attacks in the wild abusing this flaw.
No further information is presently available about how the perpetrators exploited this flaw in the wild.
Mozilla Patched The Flaw
Upon receiving the report regarding the zero-day, Mozilla worked on a fix for the flaw. Consequently, soon after they rolled out Firefox 72, they released Firefox 72.0.1 whilst including the fix for the zero-day.
According to ZDNet, the Qihoo 360 researchers also disclosed an accompanying actively exploited zero-day vulnerability in Internet Explorer. However, shortly after sharing the news via Twitter, they deleted their tweet. Hence, it’s a bit unclear if any such related vulnerability existed or still exists.
Let us know your thoughts in the comments.