Less than two weeks into 2020, and the first critical security flaw in a web browser has surfaced.
The issue is found in Mozilla’s Firefox web browser, and the Homeland Security Cybersecurity and Infrastructure Security Agency is warning users about it.
The good news is that the issue has already been patched, and snagging the new Firefox 72.0.1 version resolves the issue. The bad news is that the issue has been exploited in the wild. As Mozilla explains it, “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.” In short, this means that outside parties could exploit the Javascript code to hack a computer, thereby installing malicious code outside of Firefox. Mozilla has stated that the company is “aware of targeted attacks in the wild abusing this flaw,” but has not provided any information about how widespread the attacks are.
The Department of Homeland Security echoed the warning and urged users to “apply the necessary updates.” Such warnings that rise to the level of a cyber alert are fairly rare, and should be noted.
The bug was first detected by Chinese security company Qihoo 360 just two days after the initial update was released. The vulnerability is patched in Firefox 72.0.1 and Firefox Extended SupportRelease (ESR) 68.4.1. Firefox should check for updates immediately upon launch, but if you’ve disabled that setting, you can update your browser in the General tab inside settings.
Stay tuned for additional details as they become available.
Via PCWorld and TechCrunch