Mozilla urges Firefox users to patch browsers immediately

A critical zero-day flaw that allows remote access and control is being actively exploited in the wild

Firefox offices

Mozilla has released an emergency update to its Firefox browser to fix a critical vulnerability that is allowing attackers to seize control of users' machines.

Versions 67.0.3 and ESR 60.7.1 has been released to users on Windows, macOS and Linux desktop machines to mitigate a zero-day vulnerability dubbed CVE-2018-11707. The flaw does not arise or on Android, iOS or Amazon Fire TV iterations of the browser.

Advertisement - Article continues below

When exploited, it allows an attacker to execute arbitrary code on flawed machines and is being actively exploited in the wild, according to Mozilla. This could allow cyber criminals to seize full control if a system.

The critical vulnerability was discovered by Samuel Gro from Google Project Zero, and involves what is referred to as type confusion in Array.pop. When triggered, this can lead to an exploitable crash due to issues which occur when the browser attempts to manipulate JavaScript objects.

Mozilla deems a vulnerability to be 'critical' when it can be used to run code and install software without any user interaction required beyond normal browsing.

Highly severe zero-day flaws aren't uncommon, but they are often found and mitigated with patches by developers before cyber criminals are able to discover them and begin attacking users remotely.

Advertisement
Advertisement - Article continues below

The previous critical zero-day flaws that Mozilla discovered in Firefox 67 and Firefox ESR 60.7 were memory safety bugs flagged on 21 May this year. On this occasion, attackers were not found to be exploiting the vulnerabilities.

Advertisement - Article continues below

Another high-profile Firefox vulnerability was discovered last year by security researchers independent of Mozilla. After networking giant Cisco flagged an issue that could allow remote attackers to execute malicious code, the developers issued an emergency patch and urged users to update their browsers.

The news also comes at a time in which Mozilla is planning to introduce a host of security and privacy-centric features within Firefox, including tools such as secure storage, and a virtual private network (VPN).

Many of these new features could arise in a subscription-based version of the Firefox browser, which the developer last week hinted may surface before the end of 2019.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020