14 DAY TRIAL // Mozilla has released an emergency patch for Firefox browser in order to resolve a vulnerability that is already being exploited in the wild.
The vulnerability, which is documented in the official Mozilla advisory here, is a type confusion in Array.pop, and it was discovered by a Google engineer in the Google Project Zero team.
Mozilla doesn’t provide too many details about the detected attacks, but users are obviously recommended to install the latest version of Firefox as soon as possible.
Rumor has it that the flaw could be used for stealing cryptocurrency, albeit this hasn’t been confirmed by Mozilla. More information, however, could be provided in the coming days after the majority of users install the new version.
“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw,” the parent company explains in its advisory.
Flaw discovered by Google Project Zero engineer
The vulnerability was discovered by Samuel Groß of Google Project Zero, Coinbase Security.
What’s very important to note is that the security flaw, which has been rated with a critical severity rating, exists in Firefox versions older than 67.0.3, so users must install this latest release to be protected against potential exploits.
Additionally, users of Firefox ESR should also install version 60.7.1 to resolve the vulnerability.
You can download Firefox for Windows, Linux, and Mac (version 60.7.3) from Softpedia using the links here.
Mozilla has also started the automatic rollout through the built-in update system in Firefox, so users who launch the browser in the coming hours should be offered the new version without additional input. The patch requires a browser reboot to install.