UPDATE
Mozilla patched a critical vulnerability actively being exploited in the wild with its latest update to the Firefox browser.
Mozilla said in a security bulletin Wednesday that it was “aware of targeted attacks in the wild that were abusing the flaw. A successful attack “could make it possible for attackers who successfully exploit it to abuse affected systems,” according to Mozilla.
The disclosure came a day after Mozilla released its latest Firefox 72 browser on Tuesday. The Firefox 72 release introduced new privacy features along with patching five high-severity bugs. The latest patched version of Mozilla’s browser is Firefox 72.0.1 and Firefox ESR 68.4.1. The Firefox ESR browser is its Extended Support Release version of Firefox, designed for mass deployments.
Zero-Day Details
The critical zero-day flaw, impacting both Firefox browsers (CVE-2019-17026) “is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine,” according to a description by Tenable.
A type confusion vulnerability is a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can exploit. The attack can be leverage by luring a Firefox user with an outdated browser to web page with maliciously code.
Details of attacks exploiting the bug were not available.
Bug Fixes for Firefox and ESR
The Tuesday release of Firefox 72 tackles five high-severity flaws, four moderate bugs and one low-risk vulnerability.
Three of the five high-severity bugs were tied to memory-corruption issues. One of the flaws (CVE-2019-17015) is described as “memory corruption in parent process during new content process initialization on Windows.” Attackers exploiting the security hole, which only exists in Windows systems, can create a “crash in the parent process.”
Another high-severity bug (CVE-2019-17017) is a “type-confusion” vulnerability found in XPCVariant.cpp. “The vulnerability allows a remote attacker to execute arbitrary code on the target system,” Mozilla wrote.
The “.ccp” extension of XPCVariant refers to a source-code file written in C++. This variety of type-confusion bug is common within ActionScript Virtual Machine components and is not exclusively problematic to Firefox. It can be triggered “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a Microsoft description.
All of the bug fixes rated “high” by Mozilla on Tuesday apply to both Firefox 72 and ESR 68.4, with the exception of the flaw tracked as CVE-2019-17025. That bug, described as a “memory-safety bug,” only impacts Firefox 72. “Some of these [memory-safety] bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” wrote Mozilla.
Memory safety is described by Arun Rajeevan as “the state of being protected from various software bugs and security vulnerabilities when dealing with memory access.”
Browser Fingerprinting
Chief among a number of browser enhancements is the introduction of built-in protections against websites and advertisers that track users across multiple websites using a technique called fingerprinting. The technique identifies visitors based on browser settings that include dozens of invisible variables such as browser versions, fonts, SVG (graphics) widgets and Web Graphics Library (WebGL), for starters.
“Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting. This prevents those parties from being able to inspect properties of a user’s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user’s IP address or the user agent header,” wrote Steven Englehardt, a privacy engineer at Mozilla in a blog post Wednesday.
(This article was updated on Jan. 9 at 8:30 am with added details of the vulnerability CVE-2019-17026.)
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.
