Mozilla patches Firefox zero-day


Mozilla released today Firefox v72.0.1, a new version of the Firefox web browser that fixes a vulnerability that’s actively exploited in the wild.

The vulnerability impacts IonMonkey, which is a JavaScript JIT compiler for SpiderMonkey, the main component at Firefox’s core that handles JavaScript operations (Firefox’s JavaScript engine).

The vulnerability was categorized as a type confusion, a memory bug where a memory input is initially allocated as one type but gets switched to another type during manipulation, causing unexpected consequences to data processing, including the ability to execute code on a vulnerable system.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Firefox developers said in a security advisory today.

No information is available on how the vulnerability is being used in the wild.

Mozilla credited Chinese cyber-security firm Qihoo 360 with finding and reporting the bug.

In a now-deleted tweet, Qihoo 360 Core said there is also an accompanying Internet Explorer zero-day that’s also under active attacks.

A Qihoo 360 spokesperson did not reply to a request for comment. Microsoft did not issue any out-of-band security updates for Internet Explorer.

This is the third Firefox zero-day that Mozilla has patched over the last year. They previously patched two zero-days last June [12]. The zero-days were used in attacks against Coinbase staffers. Earlier today, Mozilla released Firefox 72, which improves privacy, cuts down on notification spam, and includes its own security fixes.

Firefox users can update to Firefox 72.0.1 by using the browser’s built-in updater found in Help –> About Firefox.


Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Car Hacking Hits the Streets

The top-three carmakers sell only connected vehicles in the United States – and other manufacturers are catching up – creating a massive opportunity for attacks, which black-hat hackers are not overlooking. (image by Tomasz Zajda, via Adobe Stock) In 2020, the connected-car market will reach a tipping point, with the […]