Mozilla has issued an emergency update for its Firefox web browser following the discovery of a critical security vulnerability under active exploitation in the wild.
The modern web browser is the most-attacked piece of software in the world, thanks to its position as being one of the only tools expressly designed to download data from third-party sources and execute it. It's no surprise, then, to see browser builders issuing security patches for their products - but the latest emergency update from Mozilla for its Firefox family of browsers is somewhat unusual, in being an out-of-schedule update for what was a zero-day vulnerability being exploited in the wild.
Discovered by Google Project Zero's Samuel Groß and the security division at cryptocurrency expert Coinbase, the vulnerability - CVE-2019-11707: Type confusion in Array.pop - allows for a malicious site to create an 'exploitable crash' in the Firefox browser, potentially executing arbitrary code as a result. The flaw is rated by Mozilla as critical, its highest rating.
To protect users, an update has been released: Those on the mainline version of Firefox should ensure they have updated to Firefox 67.0.3 or higher using the built-in update facility or by downloading the software afresh; those on the Extended Support Release (ESR) should upgrade to Firefox ESR 60.7.1.
Full details of the vulnerability, as logged in the Mozilla bug report system, are being kept private for the meantime in order that the patch can be disseminated; Mozilla's security advisory, meanwhile, is available on the official website.
Mozilla has issued a second unscheduled update for another zero-day vulnerability under active exploitation, this time allowing the attacker to escape the browser's 'sandbox' system. Users are advised to ensure that they have updated to Firefox 67.0.4 or Firefox ESR 60.7.2. More information on the latest vulnerability is available on the Mozilla website.
September 18 2020 | 18:30