Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Firefox
Firefox gets patch for critical zeroday that’s being actively exploited
Message
<blockquote data-quote="oldschool" data-source="post: 852571" data-attributes="member: 71262"><p><span style="font-size: 22px"><strong>Flaw allows attackers to access sensitive memory locations that are normally off-limits.</strong></span></p><p><a href="https://arstechnica.com/author/dan-goodin/" target="_blank">DAN GOODIN</a> - Today at undefined</p><p></p><p></p><p>Mozilla has released a new version of Firefox that fixes an actively exploited zeroday that could allow attackers to take control of users' computers.</p><p></p><p>In an <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/" target="_blank">advisory</a>, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency <a href="https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability" target="_blank">said</a> one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.</p><p></p><p>No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded immediately to emails asking for more information.</p><p></p><p>CVE-2019-17026, as the vulnerability is indexed, is a <a href="https://cwe.mitre.org/data/definitions/843.html" target="_blank">type confusion</a>, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These <a href="https://cwe.mitre.org/data/definitions/125.html" target="_blank">out-of-bounds reads</a> may allow attackers to discover memory locations where malicious code is stored, so that protections such as <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank">address space layout randomization</a> can be bypassed. Out-of-bounds reads can also cause computers to crash.</p><p></p><p>The flaw is fixed in Tuesday's release of Firefox 72.0.1. The patch came a day after version 72 <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/" target="_blank">fixed 11 other vulnerabilities</a>, six of which were rated high. Three of those six bugs might make it possible for attackers to run malicious code on affected computers.</p><p></p><p></p><p></p><p><span style="font-size: 18px"><strong>FURTHER READING</strong></span></p><p><a href="https://arstechnica.com/information-technology/2019/06/potent-firefox-0day-used-to-install-undetected-backdoors-on-macs/" target="_blank">Potent Firefox 0-day used to install undetected backdoors on Macs</a></p><p>The patching of CVE-2019-17026 comes seven months after Mozilla <a href="https://arstechnica.com/information-technology/2019/06/potent-firefox-0day-used-to-install-undetected-backdoors-on-macs/" target="_blank">patched a pair of potent zerodays</a> that attackers exploited in an attempt to install an undetected backdoor on Macs used by cryptocurrency exchange Coinbase.</p><p></p><p></p><p>While details of the new exploits are unavailable, Firefox users should install the patch as soon as practical. The easiest way to do that is use the in-browser update feature, which is available by clicking "About Firefox." In Windows, it's available in the menu's Help section. On Macs, it's in the menu's Firefox section.</p><p></p><p><a href="https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited" target="_blank">Firefox gets patch for critical zeroday that’s being actively exploited</a></p></blockquote><p></p>
[QUOTE="oldschool, post: 852571, member: 71262"] [SIZE=6][B]Flaw allows attackers to access sensitive memory locations that are normally off-limits.[/B][/SIZE] [URL='https://arstechnica.com/author/dan-goodin/']DAN GOODIN[/URL] - Today at undefined Mozilla has released a new version of Firefox that fixes an actively exploited zeroday that could allow attackers to take control of users' computers. In an [URL='https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/']advisory[/URL], Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency [URL='https://www.us-cert.gov/ncas/current-activity/2020/01/08/mozilla-patches-critical-vulnerability']said[/URL] one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw. No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded immediately to emails asking for more information. CVE-2019-17026, as the vulnerability is indexed, is a [URL='https://cwe.mitre.org/data/definitions/843.html']type confusion[/URL], a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These [URL='https://cwe.mitre.org/data/definitions/125.html']out-of-bounds reads[/URL] may allow attackers to discover memory locations where malicious code is stored, so that protections such as [URL='https://en.wikipedia.org/wiki/Address_space_layout_randomization']address space layout randomization[/URL] can be bypassed. Out-of-bounds reads can also cause computers to crash. The flaw is fixed in Tuesday's release of Firefox 72.0.1. The patch came a day after version 72 [URL='https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/']fixed 11 other vulnerabilities[/URL], six of which were rated high. Three of those six bugs might make it possible for attackers to run malicious code on affected computers. [SIZE=5][B]FURTHER READING[/B][/SIZE] [URL='https://arstechnica.com/information-technology/2019/06/potent-firefox-0day-used-to-install-undetected-backdoors-on-macs/']Potent Firefox 0-day used to install undetected backdoors on Macs[/URL] The patching of CVE-2019-17026 comes seven months after Mozilla [URL='https://arstechnica.com/information-technology/2019/06/potent-firefox-0day-used-to-install-undetected-backdoors-on-macs/']patched a pair of potent zerodays[/URL] that attackers exploited in an attempt to install an undetected backdoor on Macs used by cryptocurrency exchange Coinbase. While details of the new exploits are unavailable, Firefox users should install the patch as soon as practical. The easiest way to do that is use the in-browser update feature, which is available by clicking "About Firefox." In Windows, it's available in the menu's Help section. On Macs, it's in the menu's Firefox section. [URL="https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited"]Firefox gets patch for critical zeroday that’s being actively exploited[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top