The zero-day vulnerability would allow the attackers to take over users’ machines
Mozilla has rolled out a critical update – it patched a zero-day vulnerability within the browser that is actively exploited in the wild. If successfully exploited, it would allow the attackers to take over the affected machines – Mozilla said that it is aware that the flaw is used in targeted attacks. The zero-day has been labeled as CVE-2019-17026[1] and affects not only Firefox but also Firefox ESR browsers that are used in large organizations.
When wondering how critical the vulnerability actually is, one should refer to the notification issued by The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which states:[2]
Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
The new patch that fixes the flaw was released on January 8, just a day after a major version update 72 on January 7, which on itself fixed 11 security vulnerabilities. All users who have Mozilla Firefox installed should immediately patch the browser with the latest update, which is 72.0.1 for Firefox and 68.4.1 Firefox ESR.
Type confusion vulnerability
Mozilla Firefox is one of the major browsers available on the market today, and is the second most-used browser after Google Chrome, taking the 9.54% of the market share in the business, according to the latest statistics.[3] This is possibly the reason why government-based instituted was advising users and organizations to update the flaw as soon as possible.
In the advisory posted by Mozilla Foundation as soon as the patch was launched, the flaw CVE-2019-17026 was labeled as critical. The flaw was discovered by the Chinese security firm Qihoo 360, which is a well-known threat intelligence company. Nevertheless, no findings of Qihoo 360 were published publicly, and, according to sources which tried to contact the firm, no response on further details was received.[4]
CVE-2019-17026 is considered to be a confusion flaw – otherwise known as “Access of Resource Using Incompatible Type.” According to the Common Weakness Enumeration,[5] it occurs when the resource that the program allocates or initializes with does not match the original type of resource. In other words, the access to the program is used with an incompatible resource, it could use to remote code execution.
Not much about the CVE-2019-17026 is known currently, besides that it is an “IonMonkey just-in-time (JIT) compiler type confusion for Firefox SpiderMonkey JavaScript engine, as explained in Mozilla’s advisory:
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
Zero-days are relatively rare, although extremely dangerous
A zero-day vulnerability, otherwise known as 0-day, is a type of software bug that has not yet been discovered by the developers of the application, bounty program participants, or other members of the info-security community, but is being used by malicious actors in the wild. As a result, hackers can utilize such a flaw without limitations, as nothing is preventing them from its exploitation – that is precisely what this case of CVE-2019-17026 is.
The patch comes just seven months after the previous two zero-days for Mozilla Firefox were patched – this affected the macOS version of the browser and allowed threat actors to install backdoor related to the cryptocurrency exchange platform Coinbase. In 2015, ESET published a report on another Firefox 0-day, which exploited Firefox’s embedded PDF viewer to execute remote JavaScript commands.[6]
All the users should launch the Firefox browser in order to initiate the update. In case that does not work, users should click on the menu and go to Help > About Firefox to start the patching process.