Mozilla Firefox Zero-Day Being Actively Exploited, Patch Now!

Event Summary:

On January 8th, Mozilla released a security advisory to address a critical severity vulnerability affecting Firefox browsers, which is actively being exploited by malicious actors. Tracked as CVE-2019-17026, a successful exploit could allow for arbitrary code execution due to a type confusion vulnerability within the JavaScript JIT compiler IonMonkey. Mozilla have recommended users to update to Firefox 72.0.1 and Firefox Extended Support Release (ESR) 68.4.1, immediately after appropriate testing.

Attack Details:

Whilst specific details have been withheld, Mozilla have confirmed that ‘incorrect alias information in the JIT compiler for setting array elements could lead to type confusion’, whereby a resource is accessed using an incompatible type and can result in out-of-bounds memory access. By tricking an unsuspecting user into visiting a maliciously crafted web page, a remote attacker could execute arbitrary code on the system within the context of the application.

Systems affected by CVE-2019-17026 include:

  • Firefox versions prior to 72.0.1
  • Firefox ESR versions prior to 68.4.1

Impact and Recommendations:

The impact of a successful exploit varies depending on the privileges associated with the target. Systems with higher privileges would be more valuable to an attacker and pose a greater threat as they would have significantly less restrictions.

Tor users have also been affected as the browser is a special build of Firefox ESR, however an update has already been released under Tor Browser version 9.0.4.

Firefox does contain an automatic update feature, but due to the critical severity rating, it is recommended to manually check which version is installed so the appropriate actions can be taken.

To mitigate the effectiveness of an attack:

  • Users are advised to update vulnerable Firefox browsers
  • Where possible, software should be run as a non-privileged user to limit its capabilities
  • Users should also be trained to detect and report malicious content, as well as common techniques utilised by attackers

Links:

www.mozilla.org/en-US/security/advisories/mfsa2020-03/

www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks

arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited/

nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

www.cisecurity.org/advisory/vulnerability-in-mozilla-firefox-could-allow-for-arbitrary-code-execution_2020-004/