If you haven’t patched your Firefox browser today, you should do it immediately as there is an active zero-day exploit indexed as CVE-2019-17026.
An emergency patch was just released shortly after Mozilla shipped version 72 of its Firefox browser. According to the official advisory, the bug is critical, and it was discovered by Qihoo 360 ATA researchers. The vulnerability is described as “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.”
The company is aware of targeted attacks in the wild against the CVE-2019-17026 vulnerability. To be protected, users should install Firefox 72.0.1 and Firefox ESR 68.4.1.
CVE-2019-17026: Short Technical Overview
The vulnerability is a type confusion, which can happen due to data being written to or read from memory locations that usually are off-limits. This could allow threat actors to discover memory locations where malicious code is stored, and to bypass protections such as address space layout randomization, researchers explain.
The good news is that the vulnerability was addressed in Firefox 72.0.1. It’s noteworthy that this patch arrived only a day after version 72 fixed 11 other flaws, some of which were rated as high risk and could allow threat actors to run malicious code on vulnerable systems.
As for the CVE-2019-17026 vulnerability, there is no further information about the attacks which were detected. Nonetheless, users should update their browsers as soon as possible.