The Department of Homeland Security issued a rare warning to users of the popular Firefox browser, telling them to update their browsers immediately due to a recently detected vulnerability that could allow hackers to take control of their entire operating system.
Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.
On Wednesday Mozilla, the developer of the Firefox browser, released Firefox 72.0.1 to address the security vulnerability, which allows hackers to run unauthorized code through a webpage, allowing them to gain access to an affected system. The latest version of Firefox had only been out for two days when the vulnerability was discovered. Mozilla, which rated the risk as “critical,” explained:
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.
The security breach was detected by Chinese security company Qihoo, which found that the bug could allow an attacker to break into a user’s system undetected, tricking the victim into accessing a website running malicious code.
Browser vulnerabilities are a hot commodity in security circles as they can be used to infect vulnerable computers — often silently and without the user noticing — and be used to deliver malware or ransomware. Browsers are also a target for nation states and governments and their use of surveillance tools, known as network investigative techniques — or NITs. These vulnerability-exploiting tools have been used by federal agents to spy on and catch criminals. But these tools have drawn ire from the security community because the feds’ failure to disclose the bugs to the software makers could result in bad actors exploiting the same vulnerabilities for malicious purposes.
This is the third serious vulnerability Firefox has had to deal with in the last several months. This week’s attack follows a pair of zero-day Firefox vulnerabilities in June 2019 that could have been used to install backdoors on Macs.
Because there are ongoing attacks exploiting this flaw in the wild, it’s important, if you’re a Firefox user, to check your browser immediately to ensure you have the most recent security patches to prevent any unwanted malicious intrusions into your operating system.
By default, Firefox will update automatically, but you can always do a manual update. Manual updates will still let Firefox download an update, but it won’t install it until you restart Firefox. Here’s how to set it up:
- On the menu bar click the Firefox menu and select About Firefox.
- The About Firefox window will open. Firefox will begin checking for updates and downloading them automatically.
- When the download is complete, click “Restart to update Firefox.”