25 votes

U.S. Government Confirms Critical Security Warning For Firefox Users

8 comments

  1. [2]
    ThatFanficGuy
    Link
    The gist: <...> <rant>And apparently, the website needed localStorage access to render about 2.5× that much text, without an image or even an interactive element.</rant>

    The gist:

    What is CVE-2019-17026?

    Known officially as CVE-2019-17026, there remains little public disclosure as to the precise nature of the vulnerability itself. Beyond that which the Mozilla advisory reveals, that is. What we do know, then, is that this is a "type confusion vulnerability" in the IonMonkey just-in-time (JIT) compiler for the Firefox SpiderMonkey JavaScript engine. The Mozilla Foundation describes the 0day vulnerability as being due to "incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion."

    <...>

    What do you need to do now?

    The Mozilla Foundation advisory states that it is "aware of targeted attacks in the wild abusing this flaw," something that is confirmed by the CISA alert mentioned earlier. The good news is that a second update within a day of the first has been made available for Firefox that patches the vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has encouraged users and administrators to "review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates." This should be considered as a matter of some urgency, given that this critical zero-day is being exploited already.

    Windows users can check to see if Firefox is safe by hitting the hamburger menu to the top right of the browser and selecting "About Firefox" from the Help section. For Apple users, the option can be found in the 'top' Firefox menu. If your browser is showing as being version 72.0.1, then you are safe from this 0day exploit. Enterprise users should ensure that they have updated to version 68.4.1 of Firefox ESR.

    <rant>And apparently, the website needed localStorage access to render about 2.5× that much text, without an image or even an interactive element.</rant>

    15 votes
    1. dblohm7
      Link Parent
      For context: we don't reveal the specifics around security bugs until some time after the vulnerability has been patched. The idea here is to ensure that everybody has had ample opportunities to...

      there remains little public disclosure as to the precise nature of the vulnerability itself.

      For context: we don't reveal the specifics around security bugs until some time after the vulnerability has been patched. The idea here is to ensure that everybody has had ample opportunities to update before we publicize the details. Revealing the details too soon could make the situation even worse.

      11 votes
  2. [5]
    Keegan
    Link
    Is this just for the PC version or for Android as well?

    Is this just for the PC version or for Android as well?

    2 votes
    1. [4]
      spit-evil-olive-tips
      Link Parent
      According to this, Android is also vulnerable.

      According to this, Android is also vulnerable.

      7 votes
      1. [3]
        Keegan
        Link Parent
        Ok. Seems like I'm already updated to 68.5, so I'm alright.

        Ok. Seems like I'm already updated to 68.5, so I'm alright.

        1 vote
        1. [2]
          pvik
          Link Parent
          Are you on ESR? The latest version of ESR is 68.4.1 (which includes the fix for this CVE specifically) from release notes. If you are on regular Firefox, you will need to upgrade to 72.0.1

          Are you on ESR? The latest version of ESR is 68.4.1 (which includes the fix for this CVE specifically) from release notes.

          If you are on regular Firefox, you will need to upgrade to 72.0.1

          1 vote
          1. Keegan
            Link Parent
            I'm on Firefox Beta for Android. For my PC I'm just using regular. I'm all updated now as far as I can tell.

            I'm on Firefox Beta for Android. For my PC I'm just using regular. I'm all updated now as far as I can tell.

  3. meme
    Link
    God I hate forbes. What a horribly written article padded out to be as long as possible.

    God I hate forbes. What a horribly written article padded out to be as long as possible.

    2 votes