News

Mozilla Releases Firefox 67.0.3 As It Fixes An Actively Exploited Zero-Day

Firefox 67.0.3 with zero-day fix

Just a week ago, Mozilla rolled-out an updated version of its Firefox browser v.67.0.2, while fixing a low-severity bug. Nonetheless, it seems they missed to fix another bug that was more severe. Now, Mozilla has rolled-out another update, Firefox 67.0.3, as it fixes a critical zero-day bug actively exploited in the wild.

Critical Firefox Zero-Day Bug Actively Exploited

Mozilla has reportedly patched a critical bug in a hurry. What makes this vulnerability more alarming is its active exploitation in the wild.

In their security advisory released on June 18, 2019, Mozilla stated about a critical type confusion bug targeting the browser. Exploiting the vulnerability could result in an exploitable crash.

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.

Describing this vulnerability, Mozilla confirmed their knowledge of active exploitation of the bug.

We are aware of targeted attacks in the wild abusing this flaw.

Mozilla acknowledged the discovery of the bug to Samuel Groß associated with Google Project Zero and Coinbase Security.

Although, they haven’t mentioned many details about the bug in their advisory. Yet, Groß shared some details about this Type Confusion in Array.pop (CVE-2019-11707) to ZDNet. In his statement, he told,

The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.

He did however clearly express his unawareness regarding the “why” and “how” of the active exploitation of the vulnerability.

Firefox 67.0.3 Released With A Patch

After receiving the report from the researcher, Mozilla worked out a fix to address the bug. They have released the patch with the latest browser version Firefox 67.0.3. In addition, since the bug also threatened Firefox ESR users, they have rolled out a fix with the updated Firefox ESR 60.7.1 as well.

To stay protected from any potential mishap, the users of Mozilla Firefox must ensure updating their devices with the recent patched browser versions.

Take your time to comment on this article.

You Might Also Like