Mozilla Releases Patch for Zero-Day Vulnerability Days After Firefox 72 Release

Just two days after releasing Firefox 72, Mozilla has issued an update to patch a critical zero-day flaw.

According to an advisory on Mozilla’s website, the issue identified as CVE-2019-17026 is a type confusion bug affecting Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler.

The vulnerability was categorized as a type confusion, a memory bug where a memory input is initially allocated as one type but gets switched to another type during manipulation, causing unexpected consequences to data processing, including the ability to execute code on a vulnerable system.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” Firefox developers wrote in the security advisory.

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has also published a warning, recommending users to install the latest Firefox version. A successful attack can provide a malicious actor with full control of a compromised device, it says.

“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR,” CISA says. “An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”

It’s the second time within seven months that Firefox has sustained a critical zero-day vulnerability being actively exploited in the wild.

A previous flaw, discovered in June 2019, gave attackers the tools to execute arbitrary code on flawed machines and in some cases take over users’ devices remotely.