Security researchers found a vulnerability in Firefox browser; Mozilla asked users to update their browser to the latest version

Chinese researchers at security company Qihoo 360, have found vulnerabilities in Firefox’s just-in-time compiler, which is tasked with speeding up performance of JavaScript to make websites load faster. However, the researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

Mozilla immediately issued a security patch and asked Firefox users to update their browser to the latest version. Qihoo 360 found that hackers were actively exploiting the vulnerability in “targeted attacks” against users. Mozilla issued the security advisory for Firefox 72, which had only been out for two days before the vulnerability was found.

Homeland Security’s cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, also issued a security warning, advising users to update to Firefox 72.0.1, which fixes the vulnerability. Little information was given about the bug, only that it could be used to “take control of an affected system.”

Below is the announcement from Mozilla Foundation. FireFox can download the latest version and update their settings.

CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

Reporter: Qihoo 360 ATA

Impact: critical

Description: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

References

• Bug 1607443

Th