Page Nav




Trending News


U.S. Government Warmed Firefox Users For Critical Security

A critical zero-day vulnerability in the Firefox browser has been spotted being exploited in the ... [+]LIGHTROCKET VIA GETTY IMAGES. Th...

A critical zero-day vulnerability in the Firefox browser has been spotted being exploited in the ... [+]LIGHTROCKET VIA GETTY IMAGES.
The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification that "encourages" users and administrators to update the Mozilla Firefox web browser. This, despite Firefox releasing a significant program update, to version 72, on January 7.

So, what is the reason for this level of Government agency interest and, indeed, the urgency in the language used? A critical zero-day vulnerability that can enable a threat actor to take control of users' computers. A critical zero-day vulnerability that is being actively exploited in the wild. The Mozilla Foundation, the sole shareholder in the Mozilla Corporation that makes the Firefox web browser that's the main competition to Google Chrome, published a security advisory January 8. That advisory addressed a critical zero-day vulnerability in Firefox that has been exploited in targeted attacks in the wild.

What is a zero-day vulnerability?

A zero-day, which can also be referred to as an 0day, is simply a security vulnerability that is not known to the product vendor or security researchers but, crucially, is known to threat actors who can then exploit it without anything preventing them. That's what has happened in the case of the Firefox 0day, CVE-2019-17026.

What is CVE-2019-17026? 

Known officially as CVE-2019-17026, there remains little public disclosure as to the precise nature of the vulnerability itself. Beyond that which the Mozilla advisory reveals, that is. What we do know, then, is that this is a "type confusion vulnerability" in the IonMonkey just-in-time (JIT) compiler for the Firefox SpiderMonkey JavaScript engine. The Mozilla Foundation describes the 0day vulnerability as being due to "incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion."

What is type confusion? 

What is a "type confusion" do I hear you ask? According to the Common Weakness Enumeration definition, a type confusion occurs when a program accesses a resource using an "incompatible type" which can then "trigger logical errors because the resource does not have expected properties." This, in turn, can lead to out-of-bounds memory access, and that opens the door to remote code execution.

What do you need to do now?

The Mozilla Foundation advisory states that it is "aware of targeted attacks in the wild abusing this flaw," something that is confirmed by the CISA alert mentioned earlier. The good news is that a second update within a day of the first has been made available for Firefox that patches the vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has encouraged users and administrators to "review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates."

This should be considered as a matter of some urgency, given that this critical zero-day is being exploited already. Windows users can check to see if Firefox is safe by hitting the hamburger menu to the top right of the browser and selecting "About Firefox" from the Help section. For Apple users, the option can be found in the 'top' Firefox menu. If your browser is showing as being version 72.0.1, then you are safe from this 0day exploit. Enterprise users should ensure that they have updated to version 68.4.1 of Firefox ESR.