Mozilla has pushed out an update to patch a critical vulnerability in Firefox. It’s urging users to update as quickly as possible — and it’s joined in that warning by the US government.
Chinese cybersecurity firm Qihoo 360 reported the zero-day exploit. Mozilla claims to be aware of “targeted attacks in the wild abusing this flaw,” though it doesn’t say exactly how it’s being abused. It describes the problem as “Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.”
Even the Department of Homeland Security is urging users to update their Firefox browser to the latest version. The Cybersecurity and Infrastructure Security Agency (CISA) warns the flaw could be exploited to “take control of an affected system,” which certainly sounds dire.
This is the third zero-day exploit Mozilla has patched in a year. Last June, one such attack, which was also described as a “type confusion vulnerability,” apparently targeted Coinbase users. A second flaw was patched a few days later. According to ZDNet, the zero-days were used by a hacking group in an attempt to infect Coinbase staff via a spear-fishing email containing links to malicious sites.
This current exploit sounds just as bad, if not worse, so we echo the CISA warning to update your Firefox browser.
The latest version with the patch is version 72.0.1, and it’s currently available. To make sure you have the latest version, go to the drop-down menu in the top-right corner, select “Help,” and then “About Firefox.” This will open a window that tells you what version you have, and will give you the option of restarting the browser to finish the update. The patch is also applied in ESR 68.4.1.