Firefox’ update releases with the patch of CVE-2019-17026 vulnerability
Mozilla Firefox new update has rolled out with the fix of a zero-day vulnerability labeled as CVE-2019-17026 which was actively exploited in the wild. The vulnerability allows attackers who exploit the browser to take the complete control over the infected system.
Here is the notification issued by The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):
“Mozilla has released security updates to address vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.”
This actually states how critical the vulnerability was. The Firefox’ update with the fixes of this vulnerability was released on January 8 just after another major update version 72 on Jan 7 that fixed 11 security vulnerability. All Firefox users should immediately patch the browser with the latest update, which is 72.0.1 for Firefox and 68.4.1 Firefox ESR.
From where the vulnerability occurs
Mozilla Firefox is the very popular and the second most used browser after Google Chrome. Latest statistic says, it is taking 9.54% of the market share in the business. This may be the reason why the update is sincerely focused and government based institute was advising users to install the latest update of the Firefox with the patch of the zero-day vulnerability.
Qihoo 360, a Chinese security firm discovered this CVE-2019-17026 flaw of the Firefox browser. No finding of the threat Intelligence Company were published publically and no any details were revealed to those who tried to contact the firm. What is known that, the vulnerability occurs when the resource that the program allocates or initializes with does not find any match with what the resources originally used in it. In other word, some remote code execution could be used for accessing to the program.
What the only thing that is known currently, as explained in Mozilla’s advisory:
“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.”
Zero-day vulnerabilities are very dangerous
Zero-day vulnerabilities of a program are those bugs that have not yet discovered by the developer or other members of info-security community and are being used by malicious actors in the wild. Hackers can utilize such bugs and exploit anything without limitations. Recently, the two Firefox’s vulnerabilities that have been patched affected Mac OS version of the browser and allowed the hackers to create backdoor for cryptocurrency exchange.