Other official information and services: www.belgium.be

New zero day found for Mozilla Firefox

Reference:

Advisory #2020-001

Version:

1.0

Affected software:

Mozilla Firefox versions older than 72.0.1

Mozilla Firefox ESR versions older than 68.4.1

Type:

Remote Code Execution

CVE/CVSS:

CVE-2019-17026

Date:

10/01/2020

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

https://fr.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks?tns_redirect=true

Risks

Successful attacks using this vulnerability allow an attacker to execute his own shellcode remotely with Firefox privileges.

Description

Mozilla has issued an update to patch a critical zero-day flaw. According to their advisory, the issue identified as CVE-2019-17026 is a type confusion bug affecting Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler. An attacker exploiting this vulnerability would be able to execute his own shellcode remotely with Firefox privileges.

Recommended Actions

CERT.be recommends to Mozilla Firefox users to patch their systems immediately to at least the 72.0.1 version for the main release and version 68.4.1 for the ESR version.