14 DAY TRIAL // Mozilla has released new patches for Firefox, only a day after the company officially shipped version 72 of the browser.
The emergency patch was necessary because Mozilla discovered an actively exploited zero-day in Firefox, and the firm confirms that both Firefox and Firefox ESR are affected.
To be protected against exploits aimed at the zero-day, users must install Firefox 72.0.1 and Firefox ESR 68.4.1.
Mozilla explains in a security advisory that the vulnerability was reported by Qihoo 360 ATA, and it causes an IonMonkey type confusion with StoreElementHole and FallibleStoreElement.
“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw,” Mozilla says in the advisory.
The vulnerability has been assigned a “critical” severity rating.
Patch, patch, patch!
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has also published a warning, recommending users to install the latest Firefox version. A successful attack can provide a malicious actor with full control of a compromised device, it says.
“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates,” CISA says.
At the time of writing, it’s not known how widespread the zero-day attacks actually are, but everyone is recommended to patch as soon as possible.
The vulnerability exists in Firefox on all supported desktop platforms, so in addition to Windows devices, computers running Linux and macOS are also exposed when running an unpatched version of the browser.