Skip to content

Mozilla fixes actively exploited Firefox flaw that could trigger code execution

  • by
  • 2 min read

Mozilla has fixed a critical vulnerability in the Firefox browser that was being actively exploited. The patch was released with Firefox version 72.0.1 and Firefox ESR  68.4.1. China-based Qihoo 360 was credited for finding the vulnerability and reporting it to Mozilla.

According to the limited disclosure of the vulnerability indexed CVE-2019-17026, Mozilla says that they’re “aware of targeted attacks in the wild abusing this flaw”. When exploited, this flaw could potentially enable an attacker to gain access to its target’s PC.

According to the security advisory by Mozilla, the flaw is caused due to “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion”.

Type confusion usually occurs when a portion of code uses an unverified object passed to it blindly without type-checking. This could feed the wrong data into the wrong code, which could lead to code execution. In simpler terms, type confusion enables an attacker to execute any command that they wish to on the target machine.

In another security advisory published by Mozilla on Tuesday, the company lists a total of 11 bugs, out of which six were rated high, and were patched with Firefox version 72 release. These vulnerabilities have been indexed between CVE-2019-17015 to CVE-2019-17025. These patches come a month after Mozilla released Firefox version 71, that brought several feature updates including the picture-in-picture mode, which enables videos to be played in a small window even when switching between tabs or leaving Firefox window.

Mozilla also announced their full-device VPN for Windows 10 in USA, which is currently invitation-only at an introductory price of US$4.99 per month. Users can join the waitlist, and the eligible ones will receive a link to access the VPN from the company.

Last month, researchers also found that Android users with fully patched devices, including those running the latest edition of the OS, Android 10, are vulnerable to a malware dubbed ‘Strandhogg’, which poses as legitimate apps and targets user’s bank accounts.

In the News: Telegram’s TON blockchain and Grams cryptocurrency: 5 things you should know



Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: