Firefox 72.0.1 fixes a security vulnerability that is actively exploited

Mozilla has released Firefox 72.0.1, a new stable version of the Firefox web browser. The release may come as a surprise to many considering that Firefox 72.0 was released just a few days ago. Firefox ESR, the Extended Support Release aimed specifically at organizations and users who need stability in regards to changes, is also updated to Firefox ESR 68.4.1.

While it is not uncommon for Mozilla to release a minor update or even multiple between major Firefox releases, it is rare that an update is released just days after a release.

Firefox 72.0.1 fixes a security vulnerability in the web browser that is actively exploited according to Mozilla. The release note lists the security fix as the only change in the new Firefox release.

Mozilla’s Security Advisories hub lists a single vulnerability that has been patched in Firefox 72.0.1. The vulnerability has received a rating of critical, the highest available rating reserved for vulnerabilities with a high impact.

The description provides the following information:

CVE-2019-17026: IonMonkey type confusion with <code>StoreElementHole</code> and <code>FallibleStoreElement</code>

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

Reported by Qihoo 360 ATA, the vulnerability affects the browser’s Just in Time Compiler. Since it is exploited in the wild, Mozilla had to react quickly to release a patch.

The new versions of the Firefox web browser, Firefox 72.0.1 and Firefox ESR 68.4.1 are already available. Firefox users can download the latest release from Mozilla’s website or use the built-in updating functionality to update the browser this way.

A click on Menu > Help > About Mozilla Firefox runs a manual check for updates. The browser should pick up the new version and install it automatically on the system.

Firefox users are encouraged to update the browser as soon as possible to protect the browser against attacks targeting the vulnerability.

You Might Also Like