IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mozilla fixes Firefox zero-day being actively exploited

The US cyber security agency has warned the vulnerability is being used to take control of users’ machines

Graphic concept of a hacker with colour effects, overlaid on words

Mozilla has patched a critical flaw in its Firefox browser that’s being actively exploited by criminals in targeted attacks.

The critical vulnerability, branded CVE-2019-17026, allows an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’, according to an advisory released by Mozilla. 

The company confirmed that the critical flaw, which has now been patched, affects users running version 72 of Firefox and version 68.4 of Firefox ESR. The developer added that it’s "aware of targeted attacks in the wild abusing this flaw". 

The severity of the flaw is such that the US Cyber Security and Infrastructure Agency has issued a separate warning urging Firefox users to apply the necessary updates.

The attack works by causing ‘type confusion’, which is a potentially critical error that can lead to data being read from or written to locations of memory normally out of bounds. When triggered, this can lead to an exploitable crash because of issues caused when the browser attempts to manipulate JavaScript objects.

It’s the second time within seven months that Firefox has sustained a critical zero-day vulnerability being actively exploited in the wild.

A previous flaw, discovered in June 2019, gave attackers the tools to execute arbitrary code on flawed machines and in some cases take over users’ devices remotely.

The latest emergency fix follows a round of 11 CVE-rated bug fixes Mozilla has issued, five of which were rated ‘high’ and four rated ‘medium’. Among these highly-rated issues were memory safety bugs in Firefox 72, another type confusion issue, and a memory corruption flaw.

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

The second major security scare within a matter of months is a blow to a developer trying to forge a fresh identity for Firefox as a privacy-centric web browser. Mozilla has teased and rolled out a suite of changes to how Firefox functions in the last year, including tools like a virtual private network (VPN).

In September last year, Mozilla also instigated a change in Firefox that would block known third-party tracking cookies and cryptocurrency mining by default as part of its Enhanced Tracking Protection (ETP).

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022