A recent release of Mozilla Firefox has a vulnerability severe enough that even the Department of Homeland Security is telling everyone to update.
According to Mozilla, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.”
That last statement is particularly worrisome, as many software flaws are patched before bad actors start abusing them. In this case, however, this flaw is already being exploited.
The Department of Homeland Security’s Cyber-Infrastructure (CISA) division states the following:
“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”
As CISA points out, this flaw impacts both the regular and enterprise (ESR) versions of Firefox, so ALL users should update immediately. Individuals can use the app’s built-in updater or go to Mozilla’s official site for the latest version.
