Whilst specific details have been withheld, Mozilla have confirmed that ‘incorrect alias information in the JIT compiler for setting array elements could lead to type confusion’, whereby a resource is accessed using an incompatible type and can result in out-of-bounds memory access. By tricking an unsuspecting user into visiting a maliciously crafted web page, a remote attacker could execute arbitrary code on the system within the context of the application.
Systems affected by CVE-2019-17026 include:
- Firefox versions prior to 72.0.1
- Firefox ESR versions prior to 68.4.1
Impact and Recommendations:
The impact of a successful exploit varies depending on the privileges associated with the target. Systems with higher privileges would be more valuable to an attacker and pose a greater threat as they would have significantly less restrictions.
Tor users have also been affected as the browser is a special build of Firefox ESR, however an update has already been released under Tor Browser version 9.0.4.
Firefox does contain an automatic update feature, but due to the critical severity rating, it is recommended to manually check which version is installed so the appropriate actions can be taken.
To mitigate the effectiveness of an attack:
- Users are advised to update vulnerable Firefox browsers
- Where possible, software should be run as a non-privileged user to limit its capabilities
- Users should also be trained to detect and report malicious content, as well as common techniques utilised by attackers