Mozilla released Wednesday updates for its Firefox browser address a zero-day vulnerability exploited in target attacks.
This bug was described by Mozilla as a “IonMonkey style uncertainty with StoreElementHole and the FallibleStoreElement,” reported as CVE-2019-17026 and classified as having a critical effect. IonMonkey is the just in time (IIT) compilers for the SpiderMonkey JavaScript engine.
“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Mozilla explained in its advisory.
Mozilla claims that it is aware of targeted attacks that leverage this week, but it has found no other information available.
A U.S. Current Activity Newsletter The Cyber Security and Infrastructure Security Agency (CISA) of the Department of Homeland Security said that the vulnerability could allow an attacker to control an impacted system.
In Firefox 72.0.1 and Firefox ESR 68.4.1 the bug has been fixed, so users are urged to upgrade their updates.
Mozilla has been credited for reporting the vulnerability to the Chinese cybersecurity company Qihoo 360. ZDNet has reported that Qihoo 360 posted a tweet saying that zero-day Firefox was used alongside a zero-day Internet Explorer but that the tweet was deleted and there’s no Microsoft word regarding zero-day Internet Explorer.
Last year, Mozilla patched two zero-day Firefox vulnerabilities which were exploited to deliver cryptocurrency malware to Mac.
This week, Firefox 72 was released, which improves privacy by allowing users to delete telemetry data and by default blocking fingerprinting scripts. Firefox 72 also patches almost a dozen vulnerabilities, including 5 high-gravity vulnerabilities.