Firefox Critial patch zero day

Goodmorning ,

i dont see https://www.bleepingcomputer.com/news/security/mozilla-firefox-7201-patches-actively-exploited-zero-day/ https://www.mozilla.org/en-US/firefox/72.0.1/releasenotes/ yet on my bigfix console is there an indication when this will be released

Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited severity vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions.

As Mozilla’s security advisory says, the Firefox developers are “aware of targeted attacks in the wild abusing this flaw” which could make it possible for attackers who successfully exploit it to abuse affected systems.

The Firefox and Firefox ESR zero-day flaw fixed by Mozilla was reported by a research team from Qihoo 360 ATA.

BleepingComputer has reached out to the Qihoo 360 ATA researchers for additional details but had not heard back at the time of this publication.

Mozilla Firefox 72.0.1

The type confusion vulnerability tracked as CVE-2019-11707 impacts the web browser’s IonMonkey Just-In-Time (JIT) compiler and it occurs when incorrect alias information is fed for setting array elements.

This type of security flaw can lead to out-of-bounds memory access in languages without memory safety which, in some circumstances, can lead to code execution or exploitable crashes.

Potential attackers could trigger the type confusion flaw by redirecting users of unpatched Firefox versions to maliciously crafted web pages.

CVE-2019-17026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert saying that “an attacker could exploit this vulnerability to take control of an affected system,” and advising users to review the Mozilla Security Advisory and apply the security update.

While there is no other info related to this 0-day flaw, all users should install the patched Firefox release by manually checking for the new update by going to the Firefox menu -> Help -> About Firefox.

You can also download the latest patched version for Windows, macOS, and Linux from the following links:

Firefox 72.0.1 for Windows 64-bit
Firefox 72.0.1 for Windows 32-bit
Firefox 72.0.1 for macOS
Firefox 72.0.1 for Linux 64-bit
Firefox 72.0.1 for Linux 32-bit
This security patch comes a day after Firefox 72.0 was released with fixes for another 11 security vulnerabilities, give of them being classified as ‘High’, five classified as ‘Medium’, and one as ‘Low’.

Of the five high severity vulnerabilities, four could potentially be used by attackers for arbitrary code execution after leading victims to specially crafted malicious pages.

In June 2019, Mozilla patched two other actively exploited zero-day vulnerabilities used in targeted attacks against cryptocurrency firms such as Coinbase.

Related Articles:
Firefox 72 Out With Fingerprinter Blocking, Hidden Notification Prompts

Mozilla Adds Additional DNS-Over-HTTPS Provider to Firefox

Avast and AVG Firefox Extensions Added Back to Mozilla Addons Site

Avast and AVG Firefox Extensions Pulled from Mozilla Addons Site

Windows, Chrome Zero-Days Chained in Operation WizardOpium Attacks

What is the normal turn around for security fixlets? We are new to BigFix and went to look for this update and it is still not in there.

Content Modification Announcement - Updates for Windows Applications - Mozilla Firefox 72.0 / Google Chrome mind you this is NOT 72.0.1. so its (still) not released this version doesnt fix CVE-2019-17026

1 Like

Just released. Please see Content Modification Announcement - Updates for Windows Applications - Mozilla Firefox 72.0.1 for reference.