Firefox gets patch for critical zeroday that’s being actively exploited

oldschool

Level 67
Thread author
Verified
Top poster
Well-known
Mar 29, 2018
5,657
Flaw allows attackers to access sensitive memory locations that are normally off-limits.
DAN GOODIN - Today at undefined


Mozilla has released a new version of Firefox that fixes an actively exploited zeroday that could allow attackers to take control of users' computers.

In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.

No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded immediately to emails asking for more information.

CVE-2019-17026, as the vulnerability is indexed, is a type confusion, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored, so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause computers to crash.

The flaw is fixed in Tuesday's release of Firefox 72.0.1. The patch came a day after version 72 fixed 11 other vulnerabilities, six of which were rated high. Three of those six bugs might make it possible for attackers to run malicious code on affected computers.



FURTHER READING
Potent Firefox 0-day used to install undetected backdoors on Macs
The patching of CVE-2019-17026 comes seven months after Mozilla patched a pair of potent zerodays that attackers exploited in an attempt to install an undetected backdoor on Macs used by cryptocurrency exchange Coinbase.


While details of the new exploits are unavailable, Firefox users should install the patch as soon as practical. The easiest way to do that is use the in-browser update feature, which is available by clicking "About Firefox." In Windows, it's available in the menu's Help section. On Macs, it's in the menu's Firefox section.

Firefox gets patch for critical zeroday that’s being actively exploited
 

DDE_Server

Level 22
Verified
Top poster
Well-known
Sep 5, 2017
1,139
Mozilla released its latest Firefox 72 browser on Tuesday, introducing new privacy features along with patching five high-severity bugs. The release also coincides with a Mozilla update to its Firefox ESR 68.4 browser, designed for mass deployments.

Chief among a number of browser enhancements is the introduction of built-in protections against websites and advertisers that track users across multiple websites using a technique called fingerprinting. The technique identifies visitors based on browser settings that include dozens of invisible variables such as browser versions, fonts, SVG (graphics) widgets and Web Graphics Library (WebGL), for starters.

“Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting. This prevents those parties from being able to inspect properties of a user’s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user’s IP address or the user agent header,” wrote Steven Englehardt, a privacy engineer at Mozilla in a blog post Wednesday.

Bug Fixes for Firefox and ESR
The release of Firefox 72 tackles five high-severity flaws, four moderate bugs and one low-risk vulnerability.
Three of the five high-severity bugs were tied to memory-corruption issues. One of the flaws (CVE-2019-17015) is described as “memory corruption in parent process during new content process initialization on Windows.” Attackers exploiting the security hole, which only exists in Windows systems, can create a “crash in the parent process.”

Another high-severity bug (CVE-2019-17017) is a “type-confusion” vulnerability found in XPCVariant.cpp. “The vulnerability allows a remote attacker to execute arbitrary code on the target system,” Mozilla wrote.

The “.ccp” extension of XPCVariant refers to a source-code file written in C++. This variety of type-confusion bug is common within ActionScript Virtual Machine components and is not exclusively problematic to Firefox. It can be triggered “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a Microsoft description.

All of the bug fixes rated “high” by Mozilla on Tuesday apply to both Firefox 72 and ESR 68.4, with the exception of the flaw tracked as CVE-2019-17025. That bug, described as a “memory-safety bug,” only impacts Firefox 72. “Some of these [memory-safety] bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code,” wrote Mozilla
article source: