Mozilla has patched a critical zero-day vulnerability in the Firefox browser which is being actively exploited in the wild. The flaw – tracked as CVE-2019-17026 – is a type confusion vulnerability in the IonMonkey just-in-time (JIT) compiler for the Mozilla SpiderMonkey JavaScript engine with StoreElementHole and FallibleStoreElement. The flaw is present in the Firefox web browser for Windows, Linux, and Mac.
The flaw is due to incorrect alias information in the IonMonkey JIT compiler for setting array elements, which could trigger the type confusion flaw which could see the application crash and could allow the remote execution of arbitrary code by a remote attacker in the context of the application. If the flaw is exploited, an attacker could take control of a vulnerable system.
The flaw could be triggered and exploited by convincing a user to visit a specially crafted website, such as through malvertising, redirects, or links in phishing emails. Full details of the vulnerability have not been disclosed and it is unknown which threat actors are actively exploiting the flaw. The flaw was discovered by security researchers at Qihoo 360 ATA.
The latest versions of Firefox with the vulnerability fixed are Firefox 72.0.1 and Firefox ESR 68.4.1. Firefox should update to the latest version automatically, but since the flaw is being actively exploited it is advisable to manually update to the latest version of Firefox. You can do this through the Firefox Menu > Help > About Firefox.
The update comes just a few days after Mozilla released version 72 of its Firefox browser, which included several updates to improve privacy and also corrected around a dozen vulnerabilities including five that were rated high severity.