Security update for Mozilla Firefox to new version 72.0.1
The update eliminates a 0-day vulnerability classified as critical that is already being used for attacks.
David FischerOne day after the release of Firefox version 72.0, Mozilla released an urgent security update. A vulnerability found in Firefox up to and including version 72.0 was classified as critical. According to Mozilla, targeted attacks are already known on the web that exploit this vulnerability.
In the security report MFSA2020-03, Mozilla names the Chinese security company Qihoo 360 as the discoverer of the vulnerability. The weakness with the identifier CVE-2019-17026 lies in the JavaScript JIT compiler IonMonkey. The error can provoke a confusion of type, which can lead to memory access in invalid address areas. Subsequently, injected code can be executed.
No details are known about the reported attacks. Since Mozilla speaks of targeted attacks in the wild, only a few selected targets are apparently initially affected. Because the gap is now known to be exploitable, others will soon jump on the bandwagon and launch broader attacks using prepared web pages.
Mozilla has closed the security vulnerability in Firefox 72.0.1 and Firefox ESR 68.4.1. You should import the update to the new version immediately.
About Author
David Fischer
I am a technology writer for UpdateStar, covering software, security, and privacy as well as research and innovation in information security. I worked as an editor for German computer magazines for more than a decade before starting to be a team member at UpdateStar.