Mozilla has released security updates for Firefox browser that address a zero-day flaw (CVE-2019-17026) that has been exploited in targeted attacks.

Mozilla has released security updates to address a critical Firefox browser zero-day issue (CVE-2019-17026) that has been exploited in targeted attacks.

The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion,” reads the advisory published by Mozilla.

“We are aware of targeted attacks in the wild abusing this flaw.”

Mozilla confirmed that it’s aware of targeted attacks exploiting the CVE-2019-17026 zero-day, but it did not disclose details of the attacks.

The vulnerability was reported to Mozilla by security experts from the Chinese firm Qihoo 360.

The experts reported that the CVE-2019-17026 zero-day had been exploited by attackers along with an Internet Explorer zero-day , Qihoo 360 experts initially disclosed the discovery via Twitter, but later deleted the message.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) agency also issued a bulletin on the vulnerability warning of the possible exploitation that could allow attackers to take full control of vulnerable systems.

“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.” reads the CISA’s bulletin.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”

Mozilla has addressed the flaw with the release of Firefox 72.0.1 and Firefox ESR 68.4.1.

Mozilla this week Firefox 72, a release aimed at improving users’ privacy and that addresses a dozen vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)